A key supply chain partner of a NYSE and S&P Listed health insurance and managed health care provider suffered a large ransomware attack. The ransomware attackers gained access to the personal data of over 1 million customers and users. The health and other personal data accessed were highly sensitive and diverse. There was a high risk of future unauthorised access, identity theft, impersonation and false claims. The ransomware attack had all the hallmarks of a new ransomware group that had been formed by past members of two of the most prolific ransomware groups operating since the start of the covid-19 coronavirus pandemic. In a complex supply chain, our client needed to ensure that it was kept up to date with all the data breach response steps, strategy, decisions, risk analysis and that high-quality internal records were produced. They also wanted to ensure that public announcements, notices to breach victims and regulator notices were clear, on time and effective.
PrivacySolved Services and Solutions
PrivacySolved’s Legal and Regulatory Support Services led the project and a Senior Data Protection Officer was made available for consultation. Our lead specialist contacted the main data controller and was included in all the main communication channels, document flows and response timelines. Inside the secure communication bubble, we worked quickly to understand the details and dynamics of the data breach on the supply chain and our client. We reviewed website and market notices, assessed and challenged breach victim lists, their US states and their countries. We reported to HR, the General Counsel and CIO/CISO internal organisations. We reviewed breach notification letters to victims and the HIPAA breach notification to the Office of Civil Rights (OCR) in the US Department of Health and Human Services. We independently researched and updated our knowledge of REvil, Conti and Black Basta ransomware groups. We collaborated with Threat Intelligence to understand the latest modus operandi, systemic risks and our client’s post-breach risk profile. We used OneTrust Data Breach Incident Management to ensure that records were complete, auditable, risk-assessed, unified and complete. Our research and tracking helped us to quickly identify the resulting US class action lawsuit, the day after it was sent to the court. We shared this information with the stakeholders and assessed the likely level of breach victim engagement and the likelihood of success in the courts.
Our client used PrivacySolved’s expertise to:
Engage fully with stakeholders, understand the breach, make decisions and respond
Work with Threat Intelligence to understand systemic, special and specific risks
Collaborate with the supply chain to ensure efficient, timely and effective responses
Protect the client’s reputation, business, staff, value chains and reduce impact-costs