BLOG

Keep Up with CORL: Vendor Breach Digest, 3/15/22

CORL Vendor Breach Digest

CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.

Our Vendor Breach Digest provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.

Morley Companies, a Saignaw, MI-based provider of business services, has recently announced it was the victim of a cyberattack that started on August 1, 2021, that prevented access to data in its information systems. The breach affected approximately 521,046 individuals. The forensic investigation confirmed the following types of information were potentially accessed and/or stolen in the cyberattack: names, addresses, Social Security numbers, birthdates, client identification numbers, medical diagnostic and treatment information, and health insurance information.

Read more about the Morley Companies breach

 

Hackers gained access to South Denver Cardiology Associates systems from January 2, 2022, to January 5, 2022 and accessed information for approximately 287,652 individuals. A comprehensive review of those files confirmed they contained patient names along with one or more of the following types of information: dates of birth, Social Security numbers, drivers’ license numbers, patient account numbers, health insurance information, and clinical information such as physician names, dates and types of service, and diagnoses.

Read more about the South Denver Cardiology Associates breach

 

Securitas suffered a data breach which exposed 1.5 million files. One of the company’s Amazon S3 buckets (cloud) was left open, exposing employee PII and sensitive company data. The databases contained the information of Securitas employees and airport employees, photos of ID cards and other unmarked images, including full names, pictures of employees, occupations, and national ID numbers.

Read more about the Securitas  breach

 

Priority Health experienced a data security incident where an unauthorized individual gained access to several Priority Health Member Portal accounts. Information that could have been accessed includes individuals’ names, dates of birth, addresses, phone numbers, email addresses, insurance information, claims information and limited medical information.

Read more about the Priority Health breach

 

Medical Healthcare Solutions, Inc. (“MHS”) is a medical billing and practice management company based out of Andover, Massachusetts. The organization suffered a hacking/IT incident to their network server that affected approximately 133,997 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Medical Healthcare Solutions breach

 

PracticeMax handles billing, satisfaction research and IT support to hospitals, physicians, practice groups and others in the healthcare industry. PracticeMax experienced a security incident resulting in an unauthorized party gaining access to their sensitive information affecting approximately 165,698 individuals. Information includes names, addresses, Social Security numbers, dates of birth, treatment and diagnosis information, health insurance information, financial information, patient account numbers, employer and employee identification numbers, passport numbers, driver’s license numbers, state identification numbers, prescription information, and provider or employee login information.

Read more about the PracticeMax breach

 

Charlotte Radiology experienced a data breach in which patient information was stolen, including a very limited number social security numbers. The documents included such patient information as their name, address, date of birth, health insurance information, medical record number, patient account number, physician name, date(s) of service, diagnosis and/or treatment information related to radiology services.

Read more about the Charlotte Radiology breach

 

RR Donnelley (RRD) has confirmed that threat actors stole data in a cyberattack. While RRD initially said they were not aware of any client data stolen during the attack, the Conti ransomware gang claimed responsibility and began leaking 2.5GB of data allegedly stolen from RRD. Conti soon removed the data from public view after RRD began further negotiations to prevent the release of data.

Read more about the RR Donnelley breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 87,552 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the US Radiology Specialists breach

 

Pekin Insurance experienced an unauthorized party accessing the personal information of certain customers, with the theft of an insurance agent’s login credentials. While the compromised information may vary per person, it may include their name, address, driver’s license number and date of birth. The breach affected approximately 10,872 individuals.

Read more about the Pekin Insurance breach

 

The International Committee of the Red Cross's contactor suffered the theft of personal data for more than 515,000 people in 'Restoring Family Links,' a program that helps reunite families separated by war, disaster, and migration.

Read more about the International Committee of the Red Cross breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 2,429 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the DataHEALTH breach

 

American Osteopathic Association suffered a data breach affecting approximately 27,000 individuals. The data included their full names, Social Security numbers and financial account information.

Read more about the American Osteopathic Association breach

 

Vantage Holding Company suffered a hacking/IT incident to their network server that affected approximately 1,762 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Vantage Holding Company breach

 

Crossroads Health, a mental health and behavioral health services organization, suffered a hacking/IT incident to their network server that affected approximately 10,324 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Crossroads Health breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 4,270 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the UMass Memorial Health breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 864 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the LGAA, LLC breach

 

AON identified a cyber incident impacting a limited number of systems. The company does not expect the incident to have a material impact on its business, operations, or financial condition.

Read more about the AON breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 14,970 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Alliance Physical Therapy Group breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 5,746 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Liberty of Oklahoma Corporation breach

 

Oklahoma's Department of Human Services experienced an unauthorized access to their emails in which thousands of individuals’ information might have been stolen or compromised. Information included name, address, date of birth and age, phone number, social security number, Oklahoma Client number which could be a Medicaid ID number, as well as the representing person’s name, address, and phone number.

Read more about the Oklahoma's Department of Human Services breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 2,406 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Medical Review Institute of America breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 1,659 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Caring Communities breach

 

The organization suffered a hacking/IT incident to their network server that affected approximately 1,125 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Practolytic breach

 

Axis Communications' network cameras, access control systems, and surveillance network appliances suffered a cyberattack, forcing them to shut down all systems to limit the impact.

Read more about the Axis Communications breach

 

Oklahoma Healthcare Authority (OHCA) suffered an unauthorized access/disclosure to their network server affecting approximately 6,413 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the OHCA breach

 

Advent Health Partners, Inc. suffered a hacking/IT incident to their emails that affected 1,383 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Advent Health Partners breach

 

Expeditors International suffered a cyberattack causing the company to temporarily shut down operating systems globally.

Read more about the Expeditors International breach

 

Aetna suffered a hacking/IT incident to their network server that affected approximately 893 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the Aetna breach

 

CVS Pharmacy experienced a hacking/IT incident to their network server that affect approximately 6,221 individuals. Details are limited and the breach was reporting to the Department of Health and Human Services.

Read more about the CVS Pharmacy breach

 

Nespresso experienced a data leak through a third-party supplier. Information leaked may have included names, phone numbers, and email addresses.

Read more about the Nespresso breach

 

T-Mobile suffered a data breach that affected approximately 335,000 individuals.

Read more about the T-Mobile breach

 

The State Bar of California experienced a data breach that exposed confidential records. A public website that accumulates nationwide court case records was able to access and display limited case profile data on about 260,000 nonpublic state bar attorney discipline case records, as well as about 60,000 public court case records.

Read more about the State Bar of California breach

 


CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data

In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.

CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:

  • Prioritize vendors for assessment and remediation
  • Make informed supply chain risk decisions
  • Scale vendor risk programs
  • Report on vendor risk across the entire vendor portfolio
  • Drive and track remediation
  • Validate controls and gain assurance
  • Track KPI, KRI, and SLA metrics on program performance
  • Identify trends in vendor types to anticipate breaches
  • Save time, money, and resources
  • Accelerate assessment turnaround times

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.

Most Recent Posts
Keep Up with CORL: Vendor Breach Digest, 5/9/22 Read More
Mitigating Fourth-Party Cyber Risks in Healthcare Read More
Russia/Ukraine Cyberwar: Healthcare Vendor Risks & Response Read More