With all the big attacks on third-party vendors, it’s not surprising that some entities are reporting two or more breaches in a short period of time.
Imagine360, LLC, is a self-funded health plan for employers.
On or around January 30, Imagine360 identified unusual activity within Citrix, its third-party file-sharing platform. Imagine360 terminated access to the platform, reset passwords, and confirmed the security of its own environment. It also began its own internal investigation to determine the scope of the breach.
Days later, on or about February 3, 2023, Fortra, who owns the GoAnywhere platform that Imagine 360 also used for file-sharing, notified Imagine360 of the GoAnywhere breach.
So both breaches were outside of Imagine360’s environment and both involved file-sharing platforms. Imagine360’s investigation determined that files were copied from both platforms between January 28 and January 30, 2023. According to a notice on its website, the types of information involved included name, medical information, health insurance information, and Social Security Number.
Although it does appear to be mentioned on their website note, their notification to the California Attorney General’s Office indicates that they are offering identity monitoring services via IDX.
Imagine360 writes that in response to the incident with Fortra, it suspended the use of Fortra. Whether it plans to resume using them is unclear, but with so many file-sharing platforms getting hit in the past few years, it may not have as many options.
This incident does not yet appear on HHS’s public breach tool so we do not yet know how many patients were affected. Kudos to Imagine360, though, for its clear explanation of the incidents it experienced.