A vendor used by Baylor College of Medicine for its employee wellness portal has reported a potential data security breach.
Baylor College of Medicine was notified on June 5 of the potential breach. Patient information was not exposed in the breach.
Recommended Videos
According to Baylor College of Medicine, Vitality Group LLC said MOVEit, the third-party file transfer program it uses to transfer business data, experienced a security vulnerability on May 30.
After discovering the exposure, Vitality said that its internal security team successfully removed the known exploitable risk. Prior to removing the vulnerability, however, an unauthorized third-party gained access to the server used by the MOVEit program on which certain Vitality Group’s files were stored.
Vitality found no evidence that its systems were directly impacted or are currently at risk. As limited personal and health information is shared with Vitality to support BCM’s employee wellness program, the vast majority of BCM Vitality program participants had minimal personal information exposure.
However, for a subset of individuals, the information potentially at risk could have included a combination of: Vitality program participants’ full name, employee ID, employer, date of birth, Social Security number and Protected Health Information, specifically biometric screening data and laboratory results.
Vitality conducted an assessment has taken steps to fix the situation so that it doesn’t happen again. To identify any compromised files, the Vitality security team searched for known indicators of compromise and assessed there is no evidence that Vitality’s systems were directly impacted or are currently at risk as a result of the incident.
Additionally, Vitality applied the recommended patch to its server which hosts the MOVEit file transfer program which fixed the vulnerability. As an extra precaution, Vitality implemented a password reset on every account that accesses its server along with additional security measures.
Vitality has partnered with Experian to provide credit monitoring for two years for individuals whose Social Security number and health information may have been exposed.
“Baylor College of Medicine regrets this unfortunate incident and, as required by state and federal law, has notified all individuals whose sensitive personal information and Protected Health Information may have been exposed,” the college said.