Intellihartx, a healthcare revenue cycle management firm, is facing a class action lawsuit over a data breach that exposed the personal and medical information of nearly 500,000 patients. The breach occurred in February 2023, when hackers exploited a vulnerability in Fortra’s GoAnywhere file-transfer software, which Intellihartx used to share data with its clients.
The Lawsuit
The lawsuit, filed in an Ohio federal court, alleges that Intellihartx was negligent in its failure to protect the sensitive data of its patients and that it inadequately supervised vendors and suppliers tasked with collecting and maintaining sensitive personal information.
The lawsuit accuses Intellihartx of becoming aware of the vulnerability on January 29, 2023, but failing to take necessary action. The legal action asserts that the impact of the breach could have been prevented or at least minimized had Intellihartx shared less patient information with its vendors and implemented stronger controls.
The suit contends that Intellihartx failed to adhere to the Health Insurance Portability and Accountability Act (HIPAA) standards. HIPAA is a federal law designed to safeguard the privacy of individuals’ medical information and uphold patient rights. It provides a framework for healthcare organizations to securely manage sensitive patient data. The lawsuit further alleges that Intellihartx fell short of deploying adequate security measures and procedures that might have prevented or at least mitigated the impact of the data breach.
Exposed patient information includes personal details such as names, addresses, birthdates, and Social Security numbers, as well as medical data such as billing and insurance information, diagnoses, and medication records. The lawsuit argues that this exposure places patients at risk of identity theft and fraudulent misuse of their data.
This class action lawsuit underscores the importance of vendor risk management, illustrating how companies can face liability for ineffective controls in managing vendor risk.
Intellihartx is Not an Isolated Event –Third-Party Breaches Surging in 2023
The Intellihartx breach is far from an isolated incident; approximately 60% of data breaches can be traced back to third parties. Below are some significant third-party breaches that occurred in 2023:
MOVEit: The MOVEit breach exploited a vulnerability in the MOVEit Transfer software, which many organizations use to securely transfer sensitive files. The attackers, who claim to be part of the Clop ransomware gang, accessed the data of more than 140 organizations, including government agencies, universities, banks, law firms, and energy companies. The number of individuals affected by this breach is estimated to be over 16 million.
PharMerica: PharMerica, a pharmacy service provider, suffered a data breach in March 2023 that impacted nearly 6 million patients. This breach compromised sensitive patient information from the hospitals and health systems that shared their data with PharMerica, resulting in third-party data breaches. According to the company, an unknown third party accessed its computer systems and extracted sensitive patient data, including names, dates of birth, Social Security numbers, medication lists, and health insurance information.
AT&T: AT&T reported a data breach in 2023, which was caused by a hacking incident against one of its marketing vendors. The breach affected approximately nine million customers, whose names, addresses, phone numbers, email addresses, and account numbers were accessed by an unauthorized third party.
These examples demonstrate that third-party breaches can have devastating consequences, not only for the primary organizations and their customers but also for the reputation and trustworthiness of the third-party providers.
The Importance of Vendor Risk Management
Intellihartx and other third-party breaches in 2023 serve as a wake-up call, underlining the importance of a strong vendor risk management program. Vendor risk management involves the process of identifying, assessing, mitigating, and monitoring the risks associated with third-party providers. To guard against these significant risks, organizations should undertake the following steps to develop a robust vendor risk management program:
- Conduct due diligence during the vendor vetting process to evaluate the vendors’ qualifications, security and data privacy practices, financial stability, reputation, and past performance
- Develop a comprehensive inventory of vendors and suppliers and bucket them based on their criticality and potential risk to the business
- Conduct regular risk assessments to identify potential risks and vulnerabilities associated with the vendor’s products or services
- Continuously monitor the attack surfaces of vendors
- Develop contractual agreements defining the roles and responsibilities of both parties, including the vendor’s security obligations and performance expectations
- Develop an incident response plan outlining the steps to be taken in case of a security breach or other incident involving the vendor
- Develop escalation and remediation procedures for addressing security incidents or other issues involving the vendor
By following these best practices, organizations can reduce the likelihood and impact of third-party breaches, protect their data and customers, and avoid legal liabilities and reputational damages.
How ProcessBolt Can Help
ProcessBolt is a leading provider of third-party risk management solutions that enables you to manage this risk easily, inexpensively, and comprehensively. We are transforming the vendor risk management process by leveraging AI. ProcessBolt AI is a fully integrated AI-driven platform that extracts intelligence directly from vendor policy documents to populate security assessments and correlates that data with the vendor’s attack surface intelligence, taking an enormous amount of friction out of the vendor risk assessment process.
With ProcessBolt AI, you can focus your efforts on remediating and addressing vendor risk, instead of wasting time chasing down vendors and verifying the accuracy of security risk assessments.
Complete this form to receive a personalized walk-through of ProcessBolt AI, and learn how it can enhance your organization’s third-party risk management program.
