Vendor: Data Breach Involved Security Product Vulnerability –


Have you considered !

3rd Party Risk Management
Fraud Management & Cybercrime
Governance & Risk Management

Clinical Review Firm: Nearly 135,000 Individuals, Dozens of Health Plans Affected

Marianne Kolbasuk McGee (HealthInfoSec) •
January 11, 2022    

Vendor: Data Breach Involved Security Product Vulnerability

A vendor that provides clinical reviews and virtual second opinions is notifying nearly 135,000 individuals and dozens of its health plan and related clients of a recent cyberattack involving data exfiltration and an alleged SonicWall product vulnerability.

See Also: Zero Trust Webinar: Research Insights Exploring the Actionable, Holistic & Integrative Approach to Security

Experts say the incident is the latest reminder of the importance of strong and comprehensive vulnerability management and software patching programs for healthcare sector entities.

"Often, organizations focus patching efforts on workstations and servers," says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.

"This is a great example of why a vulnerability management program should be developed to encompass all devices and applications."

Incident Details

In a breach report filed with the Maine attorney general on Friday, Salt Lake City, Utah-based Medical Review Institute of America says it was "the victim of a sophisticated cyber incident" discovered on Nov. 9, 2021, that resulted in unauthorized access to its network.

Upon discovery of the incident, MRIoA says it "took immediate steps to stop the threat and understand the full scope of the situation." This included hiring third-party forensic experts to conduct an investigation, technological remediation efforts, and contacting the FBI to seek assistance with the incident, MRIoA says.

"The forensic investigation recently concluded and found that the unauthorized individual gained access to its systems via a SonicWall vulnerability on Nov. 2, 2021, that has been removed, and MRIoA’s environment has been secured," says a sample breach notification letter MRIoA provided to the Maine attorney general's office.

"On Nov. 16, to the best of its ability and knowledge, MRIoA retrieved and subsequently confirmed the deletion of the obtained information," the letter says.

The MRIoA breach report and notification letter do not specify whether the incident involved ransomware or whether MRIoA negotiated with attackers to retrieve the compromised data and obtain confirmation of the data's deletion.

MRIoA's review of the affected data determined that the incident affected the personal information related to 134,571 individuals, including 194 Maine residents.

The breach report to the Maine attorney general includes a list of nearly three dozen affected clients - mostly health plans and large insurers - including Blue Cross and Blue Shield organizations in several states, including Rhode Island, Minnesota, Illinois, New Jersey and Texas. Other clients affected include health plans of organizations such as Twin Rivers Paper Co., Albertsons Companies and General Dynamics.

Information potentially affected includes demographic information, including first and last name, gender, home address, phone number, email address, date of birth and Social Security number; clinical information, such as medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name and medical account number; and financial information, including health insurance policy and group plan number, group plan provider and claim information.

Vulnerability Exploited?

The breach report and sample notification letter do not specify the SonicWall product or type of vulnerability involved in the organization's security incident

Neither MRIoA nor SonicWall, a vendor of security devices, including firewalls and remote access products, immediately responded to Information Security Media Group's request for information about the incident and the vulnerability involved in the data breach.

As of Tuesday, the U.S. Department of Homeland Security's CISA catalog for known exploited vulnerabilities lists 18 vulnerabilities related to SonicWall products, and several of them involve unauthenticated access issues.

In December, SonicWall issued an advisory urging users of its Secure Mobile Access 100 series and remote access products to immediately apply patches to certain devices that are affected by eight vulnerabilities ranked as having critical to medium severity, even after enabling their web application firewall (see: SonicWall SMA 100 Series Users Urged to Apply Latest Fix).

Tom Walsh, founder of privacy and security consultancy tw-Security, says that vulnerabilities can also arise in how a user organization configures a product, such as one provided by SonicWall or any other vendor.

"The organization using the product/tool - in this case SonicWall - has a responsibility in how the firewall or tool is configured and managed," he says. "The exact same firewall - hardware and software - could be configured differently at different organizations. An error in setting up or configuring the firewall could create a vulnerability."

Bolstering Security

In the wake of the incident, MRIoA says it is continuing to implement additional cybersecurity safeguards to better minimize the likelihood of this type of event reoccurring in the future.

That includes monitoring its systems with advanced threat hunting and detection software; adding authentication protection and installing new servers "built from the ground up" to ensure all threat remnants have been removed, MRIoA says.

The company also says it is working with external third-party cybersecurity experts, deploying "a hardened and new backup environment," enhancing employee cybersecurity training and amending its existing cybersecurity policies as necessary.

MRIoA says is has no evidence that affected information was misused, but it is offering affected individuals one year of complimentary credit and identity monitoring.

Patch Management Challenges

Some experts note that the MRIoA incident appears to spotlight a variety of common difficulties with, as well as the critical importance of, effective patch management.

"Patch management can be a challenging, even for organizations that are HITRUST-certified, such as MRIoA," Walsh says. "It seems like every day there is a newly discovered vulnerability in an application, database, operating system, tool, etc. In many cases, there is a delay between the discovery of the vulnerability and when the vendor releases an update/patch/fix," he says.

How can covered entities and business associates improve their patch management processes and programs?

"The first step in this process is have a clear picture of what assets the organization has in place," Denkers says.

"Coupling that with a mature vulnerability management program allows for the best chance of identifying applicable risks to those devices or applications. Lastly, a robust patching process will help ensure those issues identified are then remediated based upon the organization's risk tolerance policy."

Walsh suggests the entities subscribe to organizations that provide routine security updates. "The problem is that you have to shift through all of the alerts to find the one or two that may apply to your environment. This is a time-consuming task and not a fun task either."

Nonetheless, any device or application that is left unpatched to a critical vulnerability can potentially cause a compromise, Denkers says. "It's imperative organizations understand what devices and application they have and are continuously monitoring for patches to help minimize the chances of compromise."

I’d like to add that camDown helps stop hackers from getting access to the webcam that I use for my work. Now I can get even more gigs as a freelancer and advertise that I have top security with my home computer and that's no lie.