120K Priority Health Members Impacted By Third-Party Data Breach

By   ISBuzz Team
Writer , Information Security Buzz | Aug 11, 2022 03:59 am PST

Following news that priority Health issued a notice about a third-party data breach that originated at the law firm Warner Norcross & Judd (WNJ) in October 2021 (https://healthitsecurity.com/news/120k-priority-health-members-impacted-by-third-party-data-breach), cyber security experts explain the risk of third party companies.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Chris Clements
August 11, 2022 12:02 pm

Cybersecurity risk from third parties has risen to a level that no organization can afford to neglect it. In this case, a large amount of Priority Health’s customer data was compromised, and they were only notified over half a year later. During this period, cybercriminals could have used the personal info to conduct fraud or identity theft or leverage the information to construct compelling social engineering campaigns targeting the victims directly. Worse, without being notified neither Priority Health nor their customers could take proactive action to protect themselves from these attacks.

To protect themselves, organizations must adopt a culture of security that incorporates approaches to managing third-party risk. It starts with awareness of the third parties with access to systems or data and taking steps to ensure they are following cybersecurity best practices, but this alone is no longer enough. Organizations must take ownership of their threat model and go above and beyond simply trusting their third-party’s attestations, even with things like SOC2 certification or recent penetration test reports. Businesses must be proactive about demanding visibility and security controls into their vendor’s systems, including tenant specific data encryption, access controls to require approving access to their data even from the vendor’s own staff, and visibility into audit logging information, especially with capabilities to stream those logs to your own security monitoring system to detect potential malicious activity whether the source be your own personnel, an external attacker, or even the vendor themselves.

Last edited 1 year ago by Chris Clements

Recent Posts

Would love your thoughts, please comment.x