The Weekly Breach Breakdown Podcast by ITRC - The Old Ball & Supply Chain - S3E17

Show Transcript

The Old Ball & Supply Chain

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 8, 2022.  Each week, we look at the most recent events and trends related to data security and privacy. This week, we will discuss supply chains, and probably not the way you’re thinking. We will talk about data breaches in supply chains.

The world is filled with clichés about chains. The chains that bind us together, referring to our significant others as “the old ball & chain,” claiming that some thing or process is only as good as “the weakest link” in a chain. 

Today, we hear a lot about supply chain issues being at the root of product shortages and inflation. We hear less of how cyberattacks against supply chains continue to impact businesses and individuals in the form of data breaches.

Recent Data Breaches in Supply Chain

Just in the past few weeks, we’ve learned about two significant data breaches in the healthcare sector that have impacted more than one million victims and hundreds of companies, even though the companies that were attacked did not have a direct relationship with the victims. The companies –a software provider to more than 2,600 healthcare systems and a company that collects medical debts for more than 650 healthcare providers – are part of the healthcare supply chain.

MCG Health Data Breach

MCG Health uses data to help most U.S. health plans, nearly 2,600 hospitals, and multiple government agencies make patient care decisions. The Seattle-based company recently acknowledged that someone had accessed an estimated 1.1 million patients’ personal information stored in the MCG system. At least eight lawsuits have already been filed that claim Social Security numbers, medical codes and other data were exposed in a breach that may have started as long as two years ago.

Professional Finance Company, Inc. Data Breach

Colorado-based accounts receivable management company, Professional Finance Company, Inc. (PFC) is the other link in the healthcare supply chain to confirm a significant data breach this month. According to the company’s public breach notice, a sophisticated ransomware attack was detected and blocked in February of this year, not before some of its computer systems were disabled. PFC says 657 of its healthcare clients have been impacted.

An investigation uncovered no evidence of misuse of patient data. However, data theft and misuse could not be ruled out. The types of information potentially accessed in the attack include names, addresses, account balances, information regarding payments made to accounts, and, for some individuals, birth dates, Social Security numbers, health insurance information and medical treatment information. We don’t know how many individuals are victims of this breach. However, with 657 organizations impacted, the final number could be significant.

Why Steal Information from Companies in a Supply Chain?

Why do data thieves try to execute data breaches in supply chains? It’s pretty simple. The security may not be as good as the larger customer company. Also, it’s a lot easier to attack one company and get the data of hundreds or thousands of companies rather than attack all those companies one at a time.

Contact the ITRC

If you want to learn more about protecting yourself or your business from identity crimes, or if you think you have been the victim of an identity crime or compromise, visit our website at www.idtheftcenter.org. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Listen to our sister podcast, The Fraudian Slip, where last month we discussed state privacy laws and a possible national privacy law. Next week, the ITRC will release our report on data breaches through the first half of 2022. There are some interesting trends you will want to learn about. We will return next week with another episode of the Weekly Breach Breakdown.