This week was particularly active in Cybersecurity—attacks rained upon all states, from the Great Basin of Nevada to the Volcanoes of Hawaii. The week began with an announcement out of Texas: U.S. Renal Care found exposed information from a vendor breach in 2023, impacting over 132k patients. Connecticut College was also featured this week; investigations are ongoing, but victims shouldn’t wait to protect themselves. The public also got an update on the PJ&A data breach from 2023.

On February 15th, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) issued an advisory highlighting the results of their incident response investigation into a state government organization’s network whose sensitive data including host/user details and other pertinent metadata were posted to the dark web.

On February 2nd, the remote desktop application AnyDesk was the target of a cybersecurity breach, marking a significant event in digital security. Hackers infiltrated AnyDesk's production environment, sparking concerns over data integrity and user security.

Azura Vascular Care operates a national network of health and wellness centers. They specialize in minimally invasive procedures and strive to treat vascular conditions in comfortable, out-patient settings. They offer healthcare in 25 states with multiple facilities and specialized teams. At the end of last year (2023), Azura discovered a threat actor within their network environment; officials removed the threat, but not before the criminals obtained 348k patient records.

Connecticut College (CC) is a private campus institution in New London, CT; initially opened as a women’s college, the institution today serves a 2k-student population and offers more than 40 degree programs. In March 2023, cybercriminals victimized CC by accessing their network environment. Eleven months later, CC officials have begun sending impact notices to those with data exposed in the incident.

Perry Johnson & Associates (PJ&A) is a medical transcription organization based in Nevada. Since the public learned about PJ&A’s breach, we have featured it whenever large healthcare networks have announced data breaches stemming from their incident and when officials present updates. This week, more information is public about the incident, through the Maine Attorney General’s Office.

U.S. Renal Care (Renal) is a 32-state, 400-location, 26k-patient healthcare provider primarily concerned with kidney disease and longevity; Renal offers in-facility and at-home dialysis solutions. Renal’s significant treatment network is made possible by various third-party vendors, from equipment solutions to transcription services.

The Bayer Heritage Federal Credit Union has headquarters in West Virginia. Like other unions, they offer various services that assist members in saving and investing no matter their life phase. Bayer’s products include financial accounts, IRAs, investment options, and many loans, from estate to student. At the end of October 2023, Bayer reportedly experienced a cyberattack; the breach lasted only a day but exposed the Social Security Numbers (SSNs) of 61,159 borrowers.

This week, around 643k data records were announced as lost in the cyber wars. Early on, the public learned of HopSkipDrive’s event, which impacted 155k student guardians. The most significant breach of this week, with an impact figure of over 307k, also occurred early in the week; the Des Moines Orthopaedic Surgeon clinic claimed the incident was due to a vendor’s failure.

While businesses might have become more prepared for direct cyberattacks, 2023 demonstrated that unfortunately a business is only as secure as the organizations within their environment. Third-party risk, which is to say any risk to an organization by external parties in its ecosystem or supply chain, was the headline culprit in 2023.