BLOG
Keep Up with CORL: Vendor Breach Digest, 12/9/21
Published On December 9, 2021
CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.
Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.
DNA Diagnostic Center has reported to regulators that personal information of more than 2.1 million individuals contained in a legacy database was accessed and acquired in a hacking incident. Affected individuals may have had information, including their Social Security numbers or payment information, compromised in the incident, the company says. More than 2.1 million individuals - including 225 Maine residents - were affected. Read more about the DNA Diagnostic Center breach |
Ace Surgical Supply has discovered its IT environment was accessed by an unauthorized individual who may have viewed or obtained the protected health information of 12,122 individuals. The investigation confirmed the affected systems contained personal information along with financial account numbers, debit/credit card information, and information that could potentially allow accounts to be accessed. ACE Surgical Supply said affected individuals have been offered credit monitoring and identity theft protection services for 24 months at no cost. Read more about the Ace Surgical Supply breach |
Maxim Healthcare Services became aware of unusual activity related to several employees’ email accounts. Investigation revealed that unauthorized access had occurred. The types of personal information that may have been accessible to an unauthorized actor include name, address, date of birth, contact information, medical history, medical condition or treatment information, medical record number, diagnosis code, patient account number, Medicare/Medicaid number, and username/password. For a limited number of individuals, Social Security number may also have been accessible. Read more about the Maxim Healthcare Services breach |
Panasonic has disclosed a major security breach after an unidentified threat actor had gained access to its internal network. The attackers managed to gain access to sensitive information such as customer details, employee personal information, Panasonic technical files from the company’s domestic operations. The hacker(s) had access to the company’s server for more than four months before being discovered by the company following abnormal network traffic. Read more about the Panasonic breach |
Planned Parenthood suffered a ransomware attack and the personal information of 400,000 patients was stolen. A threat actor gained access to the Los Angeles affiliate's network and installed ransomware and malware. There was no indication that any stolen information, which included insurance numbers and health data, had been used by hackers. Read more about the Planned Parenthood breach |
Boulder Neurosurgical and Spine Associates in Colorado detected a breach of an employee email account on September 21, 2021. The email account was immediately secured, and third-party cybersecurity experts were engaged to assist with the investigation. The breach has been reported to the HHS’ Office for Civil Rights as affecting 21,450 individuals. Read more about the Boulder Neurosurgical and Spine Associates breach |
Medsurant recently received an email from a threat actor telling them that their data had been accessed and exfiltrated. 45,000 patients were impacted by the breach. The patients are not yet being notified, however, because it seems Medsurant is still trying to figure out who needs to be notified. Read more about the Medsurant breach |
Region IV Area Agency on Aging in Michigan (AAA4) discovered on or around September 30, 2021, that an unauthorized individual had gained access to the email account of one of its employees as a result of a response to a phishing email. The purpose of the cyberattack was to try to get the employee’s paychecks diverted. Read more about the Region IV Area Agency on Aging breach |
Bureau Veritas, a provider of testing, inspection and certification services has reported a cyberattack that affected its cybersecurity system. As a preventive measure, the company took all its servers and data offline for a temporary period. Following the cyberattack, the Bureau Veritas teams, backed by third-party IT experts, are currently focusing on establishing business continuity, with the initiation of its incident response procedure. They are also making efforts to reduce disruption for clients, employees, and partners. Read more about the Bureau Veritas breach |
Mowery Clinic is notifying patients about a cyberattack. Action was immediately taken to secure its systems and prevent further unauthorized access and a third-party cybersecurity firm was engaged to conduct a forensic investigation. The forensic investigation confirmed the attacker had not accessed the electronic health record system, but malware had been deployed that allowed the attacker to access and acquire documents that contained employee and patient information. No evidence has been found of any actual or attempted misuse of patient data. The types of information potentially obtained include names, addresses, dates of birth, medical information such as office/diagnostic notes, and a limited number of Social Security numbers. In some cases, information about an employee’s spouse, dependents, beneficiaries, or minor children may have been compromised. Read more about the Mowery Clinic breach |
Saltzer Medical Group suffered a hacking/IT incident to an email that affected 15,650 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Saltzer Medical Group breach |
Blue Shield of California suffered a hacking/IT incident to their network server that affected approximately 1,520 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Blue Shield of California breach |
Maryland Department of Health recently suffered a cyberattack that caused them to take their website offline. The departments resources remain largely unavailable. Read more about the Maryland Department of Health breach |
Supernus Pharmaceuticals believes a ransomware group encrypted certain files on the company’s systems, deployed malware to impede access to systems, and thereafter threatened to publish certain data copied from the organization’s systems. Upon detection of the ransomware, the company notified government authorities, engaged cybersecurity experts and its outside law firm, and commenced its recovery process. The organization successfully recovered the impacted files and has taken additional steps designed to further protect its networks and files. Read more about the Supernus Pharmaceuticals breach |
Episcopal Retirement Services recently suffered a cyberattack that impacted its system and servers, as well as ransomware incident. The incident(s) resulted in the exposure and potential acquisition of protected health information (PHI). While the types of PHI vary by individual, it could include first and last names, addresses, gender, social security numbers, phone numbers, and dates of birth. The information potentially impacted also may have included medical diagnoses, health care provider name, insurance numbers, and Medicare number. ERS plans to notify 4,133 patients, but since the investigation is ongoing, the number may change. Read more about the Episcopal Retirement Services breach |
Continental American Insurance suffered an unauthorized access/disclosure to some paper/films that affect 623 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Continental American Insurance breach |
Anthem suffered a theft of other portable electronic device and paper/films that affected approximately 5,505 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Anthem breach |
Nationwide Laboratory Services suffered a hacking/IT incident to their network server that affected approximately 33,437 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Nationwide Laboratory Services breach |
Anthem Blue Cross of California suffered a hacking/IT incident to their network server that affected approximately 672 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services. Read more about the Anthem Blue Cross of California breach |
CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data
In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.
CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:
- Prioritize vendors for assessment and remediation
- Make informed supply chain risk decisions
- Scale vendor risk programs
- Report on vendor risk across the entire vendor portfolio
- Drive and track remediation
- Validate controls and gain assurance
- Track KPI, KRI, and SLA metrics on program performance
- Identify trends in vendor types to anticipate breaches
- Save time, money, and resources
- Accelerate assessment turnaround times
Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.