Skip to main content

What happened this week? The biggest medical cyberattack of the year, as MOVEit continues to snag companies. Here are the #HacksAttacksBreaches highlights:

  • California-based Prospect Medical Holdings has disclosed that it experienced a cyberattack that has pushed 16 hospitals and about 100 other medical facilities offline in California, Connecticut, Pennsylvania and Rhode Island. This is the largest medical cyberattack in the U.S. so far in 2023.
  • The Oregon Health Authority announced that its members’ data may have been exposed due to a MOVEit-related cyberattack on one of its service providers. An estimated 1 million people had data exposed in this incident.  

  • Prudential Insurance Company of America filed a notice of data breach with the Attorney General of Maine after discovering that one of the company’s vendors experienced a data breach caused by the MOVEit exploit. Over 320k individuals had information that was stolen.

The latest Hacks, Attacks and Breaches cybersecurity news update is here to give you what you need to stay informed, each week.

Read the top cybersecurity stories this week to keep up with hacking, computer security, ransomware and other cybersecurity threats. Here’s what’s in store this for 08/02/23 – 08/08/23. If you missed last’s week’s news, read Hacks, Attacks and Breaches: Medical Exploits Unleashed.

Hot Topic

Exploit: Credential Stuffing
Hot Topic: Retailer

Risk to Business: Severe

Retailer Hot Topic has disclosed that it has likely experienced a data breach after experiencing a series of credential stuffing attacks. The retailer said that the attacks took place between February 7 and June 21, 2023. Hot Topic says that legitimate credentials were ultimately used to access the company’s systems. Bad actors may have stolen customer information, including customer names, mailing addresses, dates of birth, phone numbers and order history. Partial payment card information (the last four digits of the payment card) may have been accessed if victims had their payment card details saved to their accounts.)

How it Could Affect Your Customers’ Business: Teaching employees how to safely handle credentials will prevent cybersecurity trouble like this.


Oregon Health Plan (OHP)

Exploit: Supply Chain Attack
Oregon Health Plan (OHP): Insurer

Risk to Business: Severe

The Oregon Health Authority has announced that its members’ data may have been exposed due to a MOVEit-related cyberattack on one of its service providers. Vendor PH Tech notified Oregon government officials that they’d experienced a data breach. In their investigation, PH Tech determined that the sensitive data of OHP members was accessed by bad actors. OHP said the illegally accessed data included personal information and some protected health information like enrollment, authorization and claims files. Exposed information varies from person to person but might include name, date of birth, social security number, address, member ID number, plan ID number, email address, authorization information, diagnosis code, procedure codes and claim information. An estimated 1 million people had data exposed in this incident.  

How it Could Affect Your Customers’ Business: Supply chain cyberattacks and the risk they bring to business needs to be top-of-mind for IT professionals.


Prospect Medical Holdings

Exploit: Hacking
Prospect Medical Holdings: Medical Facility Operator

Risk to Business: Severe
California-based Prospect Medical Holdings has disclosed that it experienced a cyberattack that has pushed 16 hospitals and about 100 other medical facilities offline in California, Connecticut, Pennsylvania and Rhode Island. The incident began on August 1. Medical providers at the impacted facilities have had to resort to pencil and paper charting. Some of the outpatient facilities that Prospect manages have been forced to close because of the attacks, including radiology, diagnostic and heart health facilities in Connecticut. This is the largest medical cyberattack in the U.S. so far in 2023.

How it Could Affect Your Customers’ Business: This breach is currently the worst medical cyberattack of 2023, but there’s still time for bad actors to make an even bigger strike.


Prudential Insurance Company of America

Exploit: Supply Chain Attack
Prudential Insurance Company of America: Insurer

Risk to Business: Severe
Prudential Insurance Company of America filed a notice of data breach with the Attorney General of Maine after discovering that one of the company’s vendors experienced a data breach caused by the MOVEit exploit. Prudential was recently informed of the attack on their vendor, Pension Benefit Information, LLC (PBI). The incident resulted in the exposure of consumers’ sensitive information, which includes their names, Social Security numbers, addresses, dates of birth and phone numbers. PBI recently began sending out data breach notification letters to all 320,840 individuals whose information was stolen.  

How it Could Affect Your Customers’ Business: Supply chain attacks are escalating, and just one attack on a supplier can be a big problem that brings big bills for any business.


Colorado Department of Higher Education (CDHE)

Exploit: Ransomware
Colorado Department of Higher Education (CDHE): Regional Government Agency

Risk to Business: Severe
The personal data of students and employees may have been exposed in a data breach at the Colorado Department of Education (CDHE). Specifically, the data of anyone who studied at a public high school in the state between 2004 and 2020, anyone who took a course at a higher education facility between 2007 and 2020, anyone who held a K-12 teacher’s license in the district, obtained participated in the Dependent Tuition Assistance Program from 2009-2013, participated in Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017, or obtained a GED between 2007-2011 may be impacted by this incident. between 2010-2014, may be affected. CDHE disclosed that a bad actor accessed CDHE systems between June 11 and June 19, 2023. The incident remains under investigation.

How it Could Affect Your Customers’ Business: Educational institutions can hold a lot of valuable data and have historically weak security.


Allegheny County, Pennsylvania

Exploit: Hacking
Allegheny County, Pennsylvania: Regional Government

Risk to Business: Moderate
Allegheny County, Pennsylvania said that it has experienced a cyberattack that led to a data breach on May 28 and 29. Thanks to MOVEit. The county said that residents’ data may have been exposed including name, Social Security number, date of birth, driver’s license/state ID number, taxpayer ID number and student ID numbers. For some, some types of medical information (e.g., diagnosis, treatment type, admission date), health insurance information, and billing/claim information may be involved. 

How it Could Affect Your Customers’ Business: Governments of every size and government agencies have been high on cybercriminal hit lists.


Canada – Health Employers Association of British Columbia

Exploit: Hacking
Health Employers Association of British Columbia: Professional Group

Risk to Business: Severe
Health Employers Association of British Columbia admitted that a cyberattack on three of its websites has likely resulted in the exposure of some personal data for an estimated 240,000 people. The association said that three websites recruiting physicians, nurses and other health professionals are at the center of the storm: Health Match B.C., Locums for Rural B.C. and the B.C. Care Aide & Community Health Worker Registry. The attack was first detected on July 13, but an investigation determined that the hackers had been in the company’s systems from May 9 to June 10. The incident remains under investigation.

How it Could Affect Your Customers’ Business: Job and hiring websites often hold onto or maintain access to big stores of valuable personal data.


Australia – Aristocrat Gaming

Exploit: Hacking
Aristocrat Gaming: Gambling Machine Manufacturer

Risk to Business: Moderate
Australia’s largest gaming machine manufacturer said that it has been hit in a cyberattack thanks to the MOVEit vulnerability. Aristocrat Gaming said that the June 1 attack led to the exposure of unspecified data for Aristocrat employees. Aristocrat said in a statement that it expects low business impact from this incident and that appropriate authorities are part of the investigation.

How it Could Affect Your Customers’ Business: A zero day vulnerability can be the catalyst for a cyberattack at any time. Businesses need to remain vigilant.