BLOG
Keep Up with CORL: Vendor Breach Digest, 10/13/21
Published On October 13, 2021
CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.
Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.
The Epilepsy Foundation of Texas discovered fraudulent emails being sent out of an employee email account, who then determined that the account had been the subject of a phishing attack. The types of personal information that may have been accessible to an unauthorized actor includes first and last name, date of birth, driver’s license number, medical information, health insurance information, financial account number, social security number, biometric data, payment card number, and username and password. Read more about the Epilepsy Foundation of Texas breach |
CVS Pharmacy was a victim of theft of paper/films that affected approximately 826 individuals. The organization has reported the breach to the Department of Health and Human Services per federal breach notification requirements, though further details are limited. This breach follows the massive CVS breach in June of this year that exposed over 1 billion records due to a cloud database configuration error (no password was enabled for the public-facing database). Read more about the CVS Pharmacy breach |
Aetna suffered a hacking/IT incident to their emails that affected approximately 1,011 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Aetna breach |
Humana was the victim of an unauthorized access/disclosure breach to their paper/films that affected approximately 948 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Humana breach |
Quickbooks customers are being targeted by an ongoing phishing campaign impersonating the company and trying to lure potential victims with fake renewal charges. To do that, they ask the victims to install remote access software like TeamViewer or AnyDesk while posing as QuickBooks support staff. Read more about the Quickbooks breach |
Zenith American Solutions, a Taft-Hartley third-party health plans administrator, was the victim of an unauthorized access/disclosure breach to their paper/films that affected 1,907 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Zenith American Solution breach |
OneDigital was the victim of a hacking/IT incident to their network server that affected approximately 895 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the OneDigital breach |
OSF Healthcare experienced a computer systems outage which sent the health system into downtime procedures and protocols for two days. The outage was the result of a data security incident. After investigating the incident, the health system discovered that an unauthorized party gained access to its systems. Patient information exposed by the incident included names, birthdates, Social Security numbers, treatment details, prescription details and health insurance details. One or more of CORL clients lists OSF Healthcare as a business associate vendor for their organization. Read more about the OSF Healthcare breach |
Facebook had 1.5 billion of its users information breached by hackers on Monday after a data dump containing their personal information was advertised for sale on a hacking forum, potentially enabling cybercriminals and spam mailers to target Facebook users worldwide. It is unclear if the privacy breach is related to the outage that Facebook and its related applications are currently experiencing. This breach follows another Facebook breach earlier this summer that impacted over 3.8 billion records. Read more about the Facebook breach |
Springhill Medical Center experienced a ransomware attack that disabled medical center’s computers for nearly eight days, and patient health records were inaccessible. A wireless tracker that could locate medical staff was out of order. Because so many electronic systems were down, fetal tracing information was inaccessible. A subsequent lawsuit alleges that a baby’s death resulted from this outage. One or more of CORL clients lists Springhill Medical Center as a business associate vendor for their organization. Read more about the Springhill Medical Center breach |
The Georgia Department of Human Resources experienced a hacking/ IT incident through a network server that affected approximately 500 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Georgia Department of Human Resources breach |
The State of Alaska Department of Health & Social Services was the victim of a hacking/IT incident to their Desktop Computers, Laptops, and Network Servers that affected approximately 500,000 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the State of Alaska Department of Health & Social Services breach |
Navistar was the victim of a hacking/IT incident to their network servers that affected approximately 49,000 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Navistar breach |
Griffith Energy Services was the victim of a hacking/IT incident to their network servers that affected approximately 500 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. One or more of CORL clients lists Griffith Energy Services as a business associate vendor for their organization. Read more about the Griffith Energy Services breach |
Advocate Lutheran General Hospital reported a laptop stolen last week that contained sensitive patient information. The thief still hasn’t been apprehended, and the company claims no personal information has been accessed or used yet. One or more of CORL clients lists Advocate Lutheran General Hospital as a business associate vendor for their organization. Read more about the Advocate Lutheran General Hospital breach |
Coos County Family Services suffered a ransomware attack that caused an IT outage and forced some of its clinics to shut down. The attacks affected all its systems, such as phone, computer, and email. One or more of CORL clients lists Coos County Family Services as a business associate vendor for their organization. Read more about the Coos County Family Services breach |
The Council on Aging (COA) of Southwestern Ohio experienced a security issue in which an employee’s e-mail account was targeted and accessed by an unknown outside entity. The accessed file contained data which may have included clients’ names, birth dates, addresses, Medicaid numbers, diagnoses information, treatment notes, and related referral or intake forms. COA’s investigation found no indication or evidence that any personal information or PHI had been accessed, obtained, misused, or otherwise compromised. Read more about the Council on Aging (COA) of Southwestern Ohio breach |
Cox confirmed that it was hit by a ransomware attack that took down live TV and radio broadcast streams. The company acknowledged the attack in data breach notification letters sent today via U.S. Mail to over 800 impacted individuals believed to have had their personal information exposed in the attack. Read more about the Cox breach |
CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data
In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.
CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:
- Prioritize vendors for assessment and remediation
- Make informed supply chain risk decisions
- Scale vendor risk programs
- Report on vendor risk across the entire vendor portfolio
- Drive and track remediation
- Validate controls and gain assurance
- Track KPI, KRI, and SLA metrics on program performance
- Identify trends in vendor types to anticipate breaches
- Save time, money, and resources
- Accelerate assessment turnaround times
Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.