Top Security Breaches Caused by Technology Partners
Breached Organization: Lawrence Memorial HospitalThird-Party Involved: Blue Sky Credit, BrickWire LLCData Lost: Names, personal information, health care provider information, credit card numbers and checking account information for 10,000 patientsThe Situation: A third-party burn of two degrees, Lawrence Memorial Hospital was left responsible for a breach of patient financial information after its credit vendor’s website hosting company left a web portal open to public access that was tied to a database containing patient information.
No Title
Breached Organization: Securities and Exchange Commission (SEC)Third-Party Involved: Financial Tracking Technologies (FTT)Data Lost: Stock trading and financial information for 4,000 SEC employeesThe Situation: Hired to manage an internal software program that tracks SEC employee trading information for ethical violations, FTT stepped into its own ethical trouble when it was discovered that it shared information in the system with other third-party companies without SEC approval.
No Title
Breached Organization: TricareThird-Party Involved: Science Applications International Corporation (SAIC)Data Lost: Protected health information for over 5.1 million patients of military hospitals and clinicsThe Situation: SAIC left Tricare with a lot of explaining to do after one of its employees left backup tapes containing millions of service members’ health information in a car and the tapes were subsequently stolen.
No Title
Breached Organization: Department of Veterans Affairs (VA)Third-Party Involved: Unnamed hardware and proprietary software vendorData Lost: Exposed Veterans Health Information System and Technology Architecture Systems,The Situation: The unnamed IT vendor improperly shared user credentials to access VA networks without security clearance and without following the VA IT security protocol.
No Title
Breached Organization: Beth Israel Deaconess Medical CenterThird-Party Involved: Unnamed PC service vendorData Lost: Medical records, names and dates of birth for over 2,000 patientsThe Situation: After completing routine maintenance, a sloppy PC service vendor failed to restore security controls on desktop that it worked on. As a result, a worm infected the machine and began to exfiltrate encrypted data files to a hacker’s remote location.
No Title
Breached Organization: As many as 50 of America’s top retail and financial brandsThird-Party Involved: EpsilonData Lost: Email addresses and names of millions of consumersThe Situation: Email marketing contractor Epsilon never really did spill exactly how many email addresses were stolen or how it was done, but speculation has it that a spearphishing attack helped hackers gain access to databases containing customer information from big brands such as JPMorgan Chase, Kroger and Tivo.
No Title
Breached Organization: Ingenix Healthcare ProvidersThird-Party Involved: IngenixData Lost: Social Security Numbers of healthcare providers using this analytics software vendor’s servicesThe Situation: A health care information sharing network, Ingenix, exposed at least 142 health care providers in New Hampshire and possibly more nationwide by making their SSNs as ID numbers visible to those searching for providers in the system.
No Title
Breached Organization: State of OhioThird-Party Involved: Affiliated Computer Services (ACS)Data Lost: Social Security Numbers for up to 8,000 child care providers in OhioThe Situation: As the outsourced vendor of the automated system for payment and tracking of child care providers in Ohio, ACS made the decidedly low-tech mistake of sending out a mailing to all of the providers that had their SSNs visible from outside of the envelope.