PhySynergy has disclosed a vendor breach involving IberiaBank’s lockbox service provider, Technology Management Resources, that may have impacted some of its customers and/or patients. From their press release:
HUNTSVILLE, Ala., March 4, 2022 /PRNewswire/ — PhySynergy, LLC (the “Company”) is notifying individuals of a service provider security incident that involved the personal information of some of its patients and/or customers.
What happened? The Company has a lockbox service with IBERIABANK for collecting and processing information from our patients and/or customers. IBERIABANK uses Technology Management Resources, Inc. (TMR) as a third-party lockbox service provider to process payments and capture pertinent payment data for items received in the lockbox. On October 14, 2021, TMR identified unusual activity with a user account in its lockbox application. It was determined that the activity was unauthorized, and the account was promptly disabled. The Company was notified of this incident on January 5, 2022 and has been actively seeking information regarding the incident to be able to provide this notice to affected individuals.
This was not the first incident report involving TMR. In October 2020, one year earlier, IntelliRad disclosed a breach to patients and to HHS. In their notification, they wrote, in part:
On July 3, 2020, TMR discovered that a TMR employee’s iRemit user account had been compromised. Intellirad was notified of this incident on August 21, 2020 and has been actively seeking information regarding the incident to be able to provide this notice.
Upon discovery of the incident, TMR reported that they secured the account and began an investigation in consultation with external cybersecurity professionals. TMR has stated that their investigation determined that the threat actor may have viewed images of checks and related images containing Intellirad patient PHI. According to TMR, the threat actor activity occurred between August 5, 2018 and May 31, 2020, with the bulk of the activity occurring between February and May 2020. TMR notified the FBI of this incident.
So what had TMR done in response to the first incident? According to IntelliRad:
TMR reports that they have taken several corrective actions to remediate and prevent a further security incident, and to mitigate the effects of the security incident. According to TMR, TMR credentials have been reset or deactivated (as applicable). TMR also reports that they implemented additional rules in their firewall to more tightly control the ability to access the iRemit website from other countries, among other steps taken
Were these corrective measures taken before the October 2021 incident?
DataBreaches.net reached out to TMR on March 4 to ask them to clarify whether they had had two hacking incidents discovered since mid-2020 or if there was really just one incident that was never fully remediated and resulted in a second victim the following year. DataBreaches.net also asked what TMR has done since this latest report to harden their security.
There has been no reply from TMR.