Cyber Incident Victim: Diligent Corporation
Date:
Jan 2023
Location:
United States of America
Summary
A cybersecurity incident at Diligent Corporation, a software vendor providing business operations tools to the University of Colorado Hospital Authority (UCHealth), resulted in unauthorized access to sensitive patient information. The compromised data included names, Social Security numbers, financial account details, dates of birth, and protected health information, affecting 48,879 individuals. UCHealth confirmed its internal systems were not breached but initiated notifications to impacted patients after reviewing the exposed files. Diligent Corporation, which specializes in governance and risk management software, experienced the breach on its own network, prompting the healthcare provider to file regulatory notices and coordinate breach disclosures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 17, 2023, the University of Colorado Hospital Authority (UCHealth) publicly disclosed a data breach stemming from a cybersecurity incident at Diligent Corporation, a third-party vendor providing business operations software to the healthcare organization. UCHealth filed a formal notice with the U.S. Department of Health and Human Services Office for Civil Rights after Diligent notified it of unauthorized access to its computer network. The breach compromised sensitive information belonging to UCHealth patients, including names, Social Security numbers, financial account details, dates of birth, and protected health information. UCHealth confirmed its own systems—including email and electronic medical records—remained unaffected, isolating the intrusion to Diligent's infrastructure. Following the vendor's notification, UCHealth conducted a review of the exposed files to identify impacted individuals and the specific data elements involved. The breach affected 48,879 patients, exposing them to heightened risks of identity theft and financial fraud due to the comprehensive nature of the stolen personal identifiers and health data.
Diligent Corporation assumed responsibility for issuing data breach notification letters to all affected individuals on January 17, 2023, coinciding with UCHealth's regulatory filing and public website notice. The healthcare organization emphasized that the incident occurred exclusively within Diligent's environment, a New York-based software-as-a-service company specializing in governance, risk, and compliance tools with over 25,000 customers. UCHealth, a Colorado-based nonprofit healthcare system operating 600 facilities across three states, cited the breach's scope as necessitating individual notifications despite no direct compromise of its internal networks. The exposed data combination—particularly Social Security numbers paired with financial account information and protected health records—created significant fraud vulnerabilities for victims. UCHealth's disclosure highlighted the systemic risks posed by third-party vendor incidents, given Diligent's role in handling sensitive operational data for an organization generating $5.4 billion annually and serving patients across multiple regions.