Cyber Incident Victim: Cognisight

On or before May 31, 2023, Cognisight, LLC, a vendor providing specialized health care management services to Sutter SeniorCare PACE, was impacted by a global exploit targeting the MOVEit file transfer tool. Cognisight utilized this tool to send and receive data, including protected health information, as part of its work for Sutter SeniorCare. The company learned of the incident on May 31, 2023, and immediately took action by stopping all access to the MOVEit service. A forensic investigation was initiated to determine the nature and scope of the incident, specifically to ascertain what had occurred and whether any data had been compromised.

The forensic investigation concluded on June 5, 2023. Its findings confirmed that unauthorized actors had exfiltrated files from the Cognisight MOVEit server. Following this determination, Cognisight notified its client, Sutter SeniorCare, on June 27, 2023, that certain files associated with their organization were among those impacted. Cognisight then engaged a vendor to conduct a detailed review of the affected files to identify any personal information contained within them. This review process was completed on July 12, 2023, at which point it was confirmed that protected health information belonging to Sutter SeniorCare PACE participants had been compromised.

The information involved in the breach included a range of sensitive personal and health data. The affected data types consisted of individuals' names, dates of birth, Social Security numbers, health information such as treatment details or diagnoses, provider information, and patient identification numbers. Cognisight stated it had no indication that any of this information had been misused following the exfiltration.

In response to the incident, Cognisight implemented several containment and remediation measures immediately after learning of the MOVEit compromise. Beyond stopping access to the service, the company securely restored its servers from backups and applied the security patch provided by the MOVEit software provider, Progress Software. As a protective measure for the affected individuals, Cognisight arranged for the provision of complimentary credit monitoring and identity protection services, even in the absence of evidence of misuse. These services were offered through Cyberscout via Identity Force, a TransUnion company.

The offered services included Single Bureau Credit Monitoring, Single Bureau Credit Report, and Single Bureau Credit Score services at no cost to the impacted individuals. This coverage was designed to provide alerts for twenty-four months from the date of enrollment whenever changes occurred to a credit file. The notification of such changes was intended to be sent on the same day the update took place with the credit bureau. Additionally, the arrangement included proactive fraud assistance to help with questions or in the event an individual became a victim of fraud. Affected individuals were required to enroll in these services within 90 days of the notification letter's date, a process requiring an internet connection and an email account and which was not available to minors under 18 years of age.

The incident was attributed to a global exploit of a third-party software tool, MOVEit, which Cognisight used for legitimate business operations. The compromise did not originate from a breach of Cognisight's internal systems but rather from a vulnerability within the externally provided file transfer application. The forensic investigation confirmed that the attackers successfully exploited this vulnerability to gain access to and extract files from the server. The specific methods or tools used by the attackers beyond the known MOVEit exploit were not detailed in the provided information.

The primary consequence of the incident was the unauthorized access and acquisition of sensitive personal and protected health information. The potential for identity theft, financial fraud, and medical identity theft was acknowledged as a risk, prompting the offering of credit monitoring services. The breach notification letters were sent out to inform individuals of the event and the steps they could take to protect themselves. The notification also provided guidance on reviewing credit reports and financial statements, placing fraud alerts, and initiating security freezes with the three major credit bureaus: Equifax, Experian, and TransUnion.

Cognisight established a dedicated call center to answer questions from affected individuals, operational Monday through Friday from 8:00 AM to 8:00 PM, excluding holidays. The company issued a formal apology for any concern or inconvenience caused by the incident. The notification process included specific guidance for residents of various states, including California, Kentucky, Maryland, New Mexico, New York, North Carolina, Oregon, and Rhode Island, directing them to their respective state Attorney General offices for additional resources. It was explicitly noted that zero Rhode Island residents were notified of this particular incident. All US residents were directed to the Identity Theft Clearinghouse operated by the Federal Trade Commission.