BLOG

Keep Up with CORL: Vendor Breach Digest, 9/13/21

CORL continuously monitors cybersecurity events and alerts customers about organizations in their supply chain that have been breached. As part of our tech-enabled managed services for vendor risk management, we also follow up with vendors and track remediation and response activities following breach events.

Our Vendor Breach Digest is issued every two weeks and provides a summary roll-up of major breach events for third-party vendors operating within the healthcare supply chain.

Microsoft discovered a breach within their Power Apps portal apps which has left 38 million records exposed. The scale of vulnerability affected more than 1,000 web apps and covered private information that includes COVID-19 contact tracing, vaccination registrations and statuses, employee databases with details such as home addresses and phone numbers, and even social security numbers.

Read more about the Microsoft Power Apps breach

 

Fujitsu had 4 GB of data stolen by a group of well-known threat actors, “Marketo”. Fujitsu states that information appears related to customers and not their own systems. Samples of the data included confidential customer information, company data, budget data, reports, and other company documents including information on projects. Marketo is not a ransomware group but operates in a similar fashion by stealing company data and threatens the release of the data unless a ransom is paid.

Read more about the Fujitsu breach

 

Nova Biomedical suffered a hacking/IT incident to their network server that affect approximately 3,774 individuals. Details are limited, though Nova has reported the breach to the Department of Health and Human Services per federal breach notification requirements.

Read more about the Nova Biomedical breach

 

The State of Maryland Board of Podiatry was another victim of the Microsoft Power Apps breach that exposed a total of 38 million records containing personally identifiable information (PII). The information included employee information as well as data related to Covid-19 vaccinations, contact tracing, and testing appointments.

Read more about the State of Maryland Board of Podiatry breach

 

Sandhills Center, a mental managed care services company out of North Carolina, had its information exposed to the data for sale site “Marketo” by an unauthorized individual or group. The 643 GB data dump has not been fully investigated yet; but after further examination and pressure from an outside source with proof, Sandhills Center confirmed that there were in fact four individuals with potential exposure of protected health information. The source who pressured Sandhills into reporting believes the number of affected individuals to be closer to 1,000.

Read more about the Sandhills Center breach

 

The State of Indiana was another victim of the Microsoft Power Apps breach that exposed a total of 38 million records containing personally identifiable information (PII). The information included employee information as well as data related to Covid-19 vaccinations, contact tracing, and testing appointments.

Read more about the State of Indiana breach

 

Nashua Regional Cancer Center suffered a hacking/IT incident to their network server that affect approximately 520 individuals. Details are limited, though the organization has reported the breach to the Department of Health and Human Services per federal breach notification requirements.

Read more about the Nashua Regional Cancer Center breach

 

DuPage Medical Group suffered a cyber-attack from threat actors which caused a week-long computer and phone outage. DuPage has notified approximately 600,000 patients that their data may have been compromised.

Read more about the DuPage Medical Group breach

 

Metro Infectious Disease Consultants suffered a hacking/IT incident to their emails that affected approximately 171,740 individuals. Details are limited, though the organization has reported the breach to the Department of Health and Human Services per federal breach notification requirements.

Read more about the Metro Infectious Disease Consultants breach

 

North Country Healthcare suffered a hacking/IT incident to their network server that affected approximately 3,550 (est.) individuals. Details are limited, though the organization has reported the breach to the Department of Health and Human Services per federal breach notification requirements.

Read more about the North Country Healthcare breach

 

JPMorgan Chase has admitted to the presence of a technical bug on its online banking website and app that allowed accidental leakage of customer banking information to other customers. Personal details of Chase bank customers including statements, transaction lists, names, and account numbers were potentially exposed to other Chase banking members. Many healthcare entities conduct their corporate banking through Chase.

Read more about the JPMorgan Chase breach

 

T-Mobile is actively investigating a data breach after a threat actor claims to have hacked T-Mobile's servers and stolen databases containing the personal data of approximately 100 million customers. This stolen data allegedly includes customers' IMSI, IMEI, phone numbers, customer names, security PINs, Social Security numbers, driver's license numbers, and date of birth.

Read more about the T-Mobile breach

 


CORL’s Managed Services & Next Generation Exchange of Vendor Risk Data

In order to combat these growing supply chain risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 80,000 vendor assessments CORL has conducted. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.

CORL’s tech-enabled managed services and next generation exchange of vendor risk data allows healthcare entities to:

  • Prioritize vendors for assessment and remediation
  • Make informed supply chain risk decisions
  • Scale vendor risk programs
  • Report on vendor risk across the entire vendor portfolio
  • Drive and track remediation
  • Validate controls and gain assurance
  • Track KPI, KRI, and SLA metrics on program performance
  • Identify trends in vendor types to anticipate breaches
  • Save time, money, and resources
  • Accelerate assessment turnaround times

Contact our team here at CORL to learn more about our managed services and next generation exchange for healthcare vendor risk data that gets results with regulatory compliance and lowers supply chain risks.

Most Recent Posts
Who is Accountable for Supply Chain Risk? Fallout from the Kaseya Breach Read More
Healthcare Takes It on the Chin with Supply Chain Breaches Read More
Healthcare CISOs Sound Off on Vendor Risk Management Read More