Imagine360 Suffers Third-Party Data Breach, 112K Impacted

July 18, 2023 - Imagine360, a Pennsylvania-based provider of self-funded health plan solutions,  alerted over 112,000 individuals about a third-party data breach from January 2023, which occurred on its Citrix file-sharing platform.

Upon discovering the breach in January 2023, the company took immediate measures, such as terminating platform access, resetting passwords, and assuring the security of its externally hosted environment.

While still investigating the initial breach, a second incident surfaced on or around February 3, 2023.

Imagine360 was notified by Fortra that its GoAnywhere-managed file transfer solution experienced a cybersecurity incident. An unauthorized actor exploited a zero-day vulnerability in Fortra's platform, copying data from multiple organizations, including Imagine360.

In light of these incidents, Imagine360 collaborated with Fortra to understand the scope of the breaches and initiated an independent internal investigation. Both investigations revealed files, including names, medical and health insurance information, and Social Security numbers.

Despite these breaches, Imagine360 maintains that its own systems remained secure and unaffected throughout the incidents, reinforcing that the breaches occurred on externally hosted platforms.

“Imagine360 takes these incidents and the privacy of information in its care seriously,” the data breach notification stated. “We conducted a diligent investigation to confirm the full nature and scope of these incidents. We also took prompt steps to ensure that the incidents did not impact Imagine360’s internal systems while conducting a comprehensive review of the information potentially affected.”

“Further, as part of our ongoing commitment to the privacy and security of information in our care, we suspended use of Fortra’s platform and implemented additional safeguards to our existing policies, processes, and security measures.”

Breach at AHCCCS Impacts Over 2K Medicaid Members

Over 2,000 Medicaid members in Arizona may have had their personal health information (PHI) compromised due to a data breach.

The breach, as revealed by the Arizona Health Care Cost Containment System (AHCCCS), resulted from a systems error in Health-e-Arizona Plus (HEAPlus), their eligibility system.

The state agency first identified the issue in May earlier this year. Consequently, some household accounts became viewable to individuals outside their households, exposing details such as first and last names, addresses, and the last four digits of social security numbers.

“At the point of discovery, AHCCCS disabled the HEAPlus system toolbar that allowed members to view this information,” AHCCCS wrote in a public statement. “Additional internal procedures have been implemented to ensure that this type of error cannot occur again. On July 3, 2023, AHCCCS will begin to notify, in writing, those members whose personal information was compromised.”

Parsley Health Discloses Data Breach, 1K Impacted

Parsley Health, a healthcare provider known for its holistic approach to medicine, reported a data breach that potentially exposed the PHI of its patients.

The breach was identified on December 14, 2022, when the company discovered that PHI might have been inadvertently shared with a contracted partner via tracking technology installed on its websites.

Immediately upon discovering the issue, Parsley Health disabled the tracking technology to halt any further sharing of patient data. The company clarified that tracking technologies, such as pixels and cookies, are widely used on websites to collect user data and are a common practice.

Following an investigation that concluded on May 8, 2023, it was confirmed that the use of these trackers resulted in the disclosure of personal health data. However, Parsley Health maintains that there is currently no evidence indicating any misuse of the exposed patient data as a result of this incident.

In the wake of this incident, Parsley Health took significant steps to enhance its security and privacy measures. This includes disabling and reconfiguring the tracking technologies and altering their sharing agreements with partnered organizations. These steps are aimed at preventing any potential breaches and further securing their patients' personal health information.