Data Breach of Medical Supply Firm Affects Over 21,000

Medical Hack

The hack of a Nebraska-based medical supply company has affected over 21,000 individual victims in what is the second largest business associate health data breach this year.

In an announcement by federal regulators in Oregon, a hacking incident has exposed the names, addresses, dates of birth and insurance information of over 21,000 individuals. The breach was discovered during a routine review of systems logs when Cornerstone Business & Management Solutions discovered a suspicious account on its server. The company quickly discovered that the account was downloading information stored on the server, including the personal details of patients using its medical supplies.

Cornerstone claims it immediately locked the rogue server to isolate it from the rest of its network.

The company stated in a notice:

We were able to restore our system using unaffected backup copies and continue providing services to patients. We have been monitoring the system, and to date, we have found no evidence of any recurrence of the incident. We are still investigating the incident to determine how the account accessed our system.

The breach was reported to the US Department of Health and Human Services on September 5 as a hacking incident that affected 21,856 individuals in total. That would make the breach the second largest hack involving a business associate this year, after an unauthorized breach reported by Indiana-based Enterprise Services LLC that affected about 56,0000 individuals on June 27.

Altogether, there have been 15 data breaches involving business associates that affected a total of 183,000 individuals, according to the department’s Breach Reporting Tool website. Since the website’s record-keeping in September 2009, a staggering 315 major breaches have been reported to the HHS, affecting a mammoth 26.2 million individuals. That’s 15 percent of the total 2,060 breaches reported to date.

Meanwhile, Cornerstone added it is including new administrative safeguards with additional policies and procedures to strengthen its cybersecurity framework. The company is also offering affected individuals 12 months of free identity theft and credit monitoring.

Image credit: Pixabay.