Cyber Incident Victim: Quantum Group

The data breach involving Quantum Group occurred in 2017 when unauthorized individuals potentially accessed protected health information entrusted to the vendor by Webb Mason, a marketing services provider working with Highmark Inc. Highmark, a Pittsburgh-based healthcare organization, utilized Webb Mason for marketing initiatives, and Webb Mason subsequently engaged Quantum Group for printing and mailing services related to those efforts. During this engagement, Webb Mason transferred patient data to Quantum Group, which was later exposed in a security incident at Quantum Group’s systems. Highmark emphasized that its internal IT infrastructure remained uncompromised, confirming the breach was isolated to Quantum Group’s environment. The incident was discovered retrospectively, with Highmark publicly disclosing the breach in March 2022 alongside other unrelated incidents reported by New Jersey Brain and Spine and Dialyze Direct.

The compromised data included HIPAA-protected information provided to Quantum Group in 2017, though specific intrusion methods or attacker identities were not disclosed. Highmark reported the breach affected 67,147 individuals, whose exposed data types were not itemized beyond being labeled as HIPAA-protected. Affected individuals were notified and offered 12 months of complimentary online identity monitoring services. Highmark did not detail remediation steps taken by Quantum Group or Webb Mason but reiterated that its own systems were not involved. The breach was reported to relevant authorities, aligning with regulatory requirements for incidents affecting protected health information. No evidence of data misuse was cited at the time of disclosure.