Cyber Incident Victim: Edgepark Medical Supplies
Date:
Mar 2013
Location:
United States of America
Summary
A malware attack compromised an Ohio-based medical supplier's web servers, leading to unauthorized access of approximately 4,200 individuals' personal and payment information. Exposed data included names, birth dates, contact details, partial or full credit card numbers—with 126 victims having full 16-digit card numbers exposed—diagnoses, order histories, health insurer details, and account credentials. The breach occurred over several days but was detected months later when antivirus software identified the malware. The company removed the malicious code, reset all account passwords, notified affected individuals by mail, and provided complimentary identity theft protection services for one year. No unusual account activity or misuse reports were identified following the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2013, unauthorized actors infiltrated the web servers of Edgepark Medical Supplies, an Ohio-based medical supplier, deploying malware that remained undetected for approximately nine months. The breach occurred between March 9 and March 12, 2013, compromising systems that stored sensitive patient and customer data. Edgepark’s antivirus software failed to identify the malicious code until December 12, 2013, coinciding with the antivirus provider’s recognition of the threat. The delayed detection allowed prolonged access to systems containing personal and financial information. Upon identifying the intrusion, Edgepark initiated an investigation, determining that the malware facilitated unauthorized access to the “account information” section of patient records.
The incident impacted approximately 4,200 individuals, exposing names, dates of birth, phone numbers, shipping and billing addresses, email addresses, Edgepark account usernames and passwords, diagnoses, order histories, and health insurer details. Payment card data was also compromised: full 16-digit credit card numbers for 126 individuals and the last four digits of cards for the remaining affected parties. Security codes were not accessed. Edgepark removed the malware, reset all account passwords, and mailed breach notifications to impacted individuals starting January 2, 2014. The company offered one year of complimentary identity theft protection services but stated no unusual account access patterns or post-breach misuse had been identified at the time of disclosure.