Emerging Risk Management Issue: Vendors Hit by Ransomware

Two recent ransomware incidents targeted companies serving healthcare organizations, highlighting an emerging challenge for vendor risk management in the sector.

Blackbaud, which sells cloud-based marketing, fundraising, and customer relationship management software, was recently hit by ransomware. Some of its affected clients are now being revealed.

Meanwhile, medical debt collector firm R1 RCM, formerly known as Accretive Health, also has been hit by ransomware.

The Chicago-based R1 RCM security incident is just the latest in a string of incidents targeting medical billing and collection vendors following Houston-based BRSI in April and AMCA in 2019. The AMCA breach was the largest U.S. health data breach of 2019, affecting more than 20 million people.

Incidents that involve vendors, providing financial and fundraising services to a broad swath of leading healthcare organizations, are particularly concerning because of the breadth and sheer volume of the data they could be handling.

Covered entities should take notice and prepare for the eventuality that one of their vendors is going to suffer a cybersecurity incident. Niche third-party vendors are a considerable risk to covered entities because they are typically ‘off the radar’ and unseen, but process enormous amounts of information.

Blackbaud Breach Impact
South Carolina-based Blackbaud last month revealed that it was hit by a ransomware attack in May. The company has not disclosed the identities of clients affected. But some customers have issued notifications, including Northern Light Health, a Maine-based healthcare delivery system.

The hacking incident affected more than 657,000 individuals, making the breach the second largest reported to the Department of Health and Human Services in 2020.

In a notification statement, Northern Light Health Foundation says it recently learned “that it is one of thousands of hospitals, healthcare systems, and other nonprofit organizations… to be affected by a security event at Blackbaud, the company that hosts our fundraising databases.”

R1 RCM Incident
In the other recent ransomware incident targeting a vendor, R1 RCM acknowledged taking down its systems in response to the recent attack. It appears R1 RCM was hit by ransomware in early August and that the incident, according to sources, involves malware known as Defray, which is usually spread “via booby-trapped Microsoft Office documents sent via email.”

Vendor security and the associated vulnerabilities are something that every covered entity should take seriously. Preparation for the compromise of a vendor is a key part of any incident response plan.

If you have questions about IT security, call ITPAC today.