3rd Party Risk Management , Business Email Compromise (BEC) , Fraud Management & Cybercrime

2 Vendor Hacking Incidents Affect Over 600,000 Individuals

Breaches Include 2021 Ransomware Attack, 2020 Wire Transfer Fraud Incident
2 Vendor Hacking Incidents Affect Over 600,000 Individuals

Two recent hacking breaches affecting hundreds of thousands of individuals - one reported by a firm that provides services to health plans and the other by a government contractor - serve as the latest reminders of security and privacy risks involving vendors that handle sensitive personal information.

See Also: Best Practices to Protect Communication and Email Fraud with Technology

The breaches involve a 2021 ransomware incident affecting more than 521,000 individuals that was reported to federal and state regulators on Feb. 1 by Michigan-based Morley Companies.

The other is a hacking incident reported on Feb 11, but detected in late 2020, affecting more than 94,000 individuals and involving the discovery of "multiple" fraudulent wire transfers. That incident was reported by Comprehensive Health Services LLC, a subsidiary of Virginia-based Acuity Inc., which is a provider of professional services, including medical, engineering and consulting to the U.S. government and commercial clients in the national defense, healthcare and homeland security markets.

Morley Breach

As of Thursday, the Morley incident was the second-largest breach posted in 2022 to the Department of Health and Human Service's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

To date, the Morley PHI breach is the second-largest breach reported to federal regulators in 2022.

Morley, in a sample breach notification provided to the Maine attorney general's office, said the incident involved "a ransomware-type malware" that had prevented access to some data files on its system beginning Aug. 1, 2021. An investigation found that the incident also involved unauthorized access to some files containing personal information, the notification says.

Morley says that upon discovery of the incidents, it "worked diligently" to prevent further access and identify affected individuals.

"Special programming was required and unique processes had to be built in order to begin analyzing the data," the company says. "The data complexity also required special processes to search for and identify key information." Morley describes the process as "lengthy," saying that on Jan. 18 the company confirmed whose information was involved.

Personal and protected health information potentially affected in the incident includes name; address; Social Security number; date of birth; client identification number; medical, diagnostic and treatment information; and health insurance information.

Morley says it is not aware of any misuse of personal information due to the incident.

Morley did not immediately respond to Information Security Media Group's request for additional details about the incident, including the type of malware involved and whether the company paid a ransom.

CHS Incident

CHS, in a report submitted to the Maine attorney general's office on Tuesday, describes its breach as an external hacking incident that may have included unauthorized access to personal information such as names and Social Security numbers.

The company says that on Sept. 30, 2020, it detected unusual activity within its digital environment following discovery of multiple fraudulent wire transfers.

Upon discovering this activity, CHS says, it immediately engaged a team of cybersecurity experts to secure its digital environment and conduct a forensic investigation to determine the method of initial compromise and access, the scope of the incident, what systems were affected and whether any personal information may have been accessed or exfiltrated as a result of the incident.

CHS is a subsidiary of government contractor Acuity.

Following review and analysis of the incident, CHS determined on Nov. 3, 2021, that personal information of a limited number of individuals employed by one of its customers may have been accessed or acquired by a malicious actor. Affected information includes names, dates of birth and Social Security numbers.

CHS says it is taking steps to prevent a similar event from occurring in the future, including investing in enhanced security measures.

CHS did not immediately respond to an ISMG request for additional details about the incident.

Vendor Risk

Some experts say the incidents involving Morley and CHS highlight various concerning data security and privacy risks posed by vendors.

"Our healthcare ecosystem is complicated and is made up of both large and small service providers and vendors," says Cathie Brown, vice president of consulting services at Clearwater, a privacy and security consultancy.

"A major lesson we can learn from these particular breaches is that a strong vendor risk management program is a must-have for any organization with PHI and other sensitive information," she says.

"That means knowing who your vendors and service providers are, having a strong contract in place, assessing the potential risks based on the type of information or services in scope, addressing those risks with the third party, and reassessing on a periodic basis."

Organizations should never assume that a vendor or service provider has a strong security program, regardless of the size of the company, she says. "This is an important case of 'trust but verify.'"

Larger Trends

Michael Hamilton, CISO of security firm Critical Insight, says that both the CHS and Morley incidents are consistent with the findings of the company's recently released healthcare data breach report spotlighting 2021 trends.

"There has been an uptick in records theft from health plans and business associates, and a slight decrease from hospitals. That to me is the effect of rebranding ransomware as applied to hospitals as 'terrorism,'" he says.

Attackers are beginning to shift their targeting, "going down market, with newly restored focus on records theft. ...Once you've been hit with ransomware … or a business email compromise … you will very likely find that records have been disclosed, as well," he says.

According to Hamilton, "At some point, we're going to have to make the determination that all the records that can be stolen have been stolen." He says the large datasets compromised in some incidents - including the 2017 Equifax hacking breach that affected 147 million individuals - "have never been seen for sale."

"These are likely in the possession of China, and they are likely being mined for associations and networks for the purpose of espionage," he says.

Brown says she expects cybercriminals will continue to find different and damaging ways to use PHI and PII, and any notion of reaching a "saturation point" at which stolen data loses value is unlikely.

"As long as the data is valuable to consumers and organizations, the value for cybercriminals will be high. The flip side of this is to build very strong security programs that are effective at minimizing breaches to deter cybercriminals from attacks," she says.

"Healthcare organizations will state they protect PHI and PII, but in reality few have the resources to build and maintain high levels of security. Until we can do that, healthcare will be a profitable target."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.