Cyber Incident Victim: UCHealth Vendor
Date:
Jan 2023
Location:
United States of America
Summary
A cybersecurity incident at Diligent Corporation, a third-party vendor providing operational software tools, compromised sensitive patient data from UCHealth. The breach exposed names, Social Security numbers, financial account details, dates of birth, and protected health information for 48,879 individuals. While the healthcare provider's internal systems, including email and medical records, remained unaffected, unauthorized access to Diligent's network led to the exposure of UCHealth-related files. The vendor notified the organization, prompting a review of impacted data and subsequent breach notifications to affected patients. The incident heightened risks of identity theft and fraud for those whose information was accessed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 17, 2023, the University of Colorado Hospital Authority (UCHealth) filed a breach notification with the U.S. Department of Health and Human Services Office for Civil Rights following a cybersecurity incident at Diligent Corporation, one of its third-party vendors. Diligent Corporation, a New York-based software-as-a-service provider specializing in governance, risk, and compliance tools for UCHealth’s business operations, informed UCHealth that an unauthorized party had accessed its computer network. This breach compromised sensitive data belonging to UCHealth patients, including names, Social Security numbers, financial account information, dates of birth, and protected health information. UCHealth confirmed that its internal systems—including email and electronic medical records—remained unaffected by the incident. The breach impacted 48,879 individuals, as disclosed in UCHealth’s regulatory filing and public website notice. Diligent Corporation initiated an investigation upon discovering the incident, though the specific timeline of the attack and method of intrusion were not detailed in public disclosures.
Following confirmation of the data exposure, UCHealth conducted a review of the compromised files to identify affected individuals and the scope of leaked information. The organization began mailing individualized data breach notification letters to all impacted parties on January 17, 2023, the same date as its regulatory filing. The breach exposed victims to heightened risks of identity theft and financial fraud due to the sensitivity of the compromised data. UCHealth emphasized that the incident originated solely within Diligent’s systems, which support UCHealth’s operational functions but are distinct from its core healthcare infrastructure. Diligent Corporation, which serves over 25,000 customers globally and generates approximately $250 million in annual revenue, did not disclose additional technical or operational specifics about the breach beyond its notification to UCHealth. No further actions by UCHealth or Diligent to contain the incident or remediate affected systems were described in the available public statements.