Georgia-based Cytometry Specialists d/b/a CSI Laboratories (“CSI”) has reported a second big breach this year.
In a press release issued this week, CSI reports that they discovered on July 8 that they had been the victim of a phishing attack that compromised an employee’s email account. The incident was reported to HHS on September 26 as affecting 244,850 patients.
“We believe the access to a single employee mailbox occurred not to access patient information, but rather as part of an effort to commit financial fraud on other entities by redirecting CSI customer health care provider payments to an account posing as CSI using a fictitious email address,” they state.
Whatever the bad actor’s intentions, the investigation revealed that documents with patient data were acquired from an employee mailbox. The files generally included patient name and number, but some files contained more protected health information such as date of birth and health insurance information.
“At this time, we have no facts suggesting that any of the patient information has been used and, in most cases, it will be very difficult, if not impossible, for anyone to further use the patient information that was accessed. Accordingly, we do not believe that you need to take any steps at this time to protect your information,” CSI Laboratories stated.
Not even to check explanation of benefits statements in case there is any attempt to misuse insurance information for medical identity theft?
Their full statement can be found on their website.
This was the second incident CSI Laboratories reported this year. In March, they disclosed a breach discovered in February. That incident also resulted in the theft of files with patient information.
Their March press release stated, in part, “At this time, CSI has no facts suggesting that any of the information has been further used and in some cases, it will be very difficult, if not impossible, for anyone to further use the information that was accessed.”
As DataBreaches reported:
By the time CSI issued that press release, Conti threat actors had already added CSI to their dedicated leak site. So maybe CSI had no “facts” or hard proof of misuse of data, but the fact that the data was in Conti’s hands should be cause for concern and for people to take steps to protect themselves.
The February incident was reported to HHS as affecting 312,000 patients.
So a mere months after a ransomware incident affecting hundreds of thousands of patients, CSI Laboratories got hit again. And it makes the same promises now that it made after the first incident:
We continue to closely monitor our network and information systems for unusual activity. We will continue to further improve security across our company networks and protect from unauthorized access or similar criminal activity in the future.
What exactly did CSI Laboratories do before and after the first incident to protect from unauthorized access or similar criminal activity? What are they doing after this second incident to prevent a third?