Cyber Incident Victim: bioMérieux

On or before June 15, 2023, bioMérieux became aware of a data security breach involving the unauthorized disclosure of personal information. The incident did not originate within bioMérieux's own systems but was instead reported to them by a vendor, Vitality Group. The initial notification to affected individuals, including current and former employees and their family members, was provided by bioMérieux via email and letter on June 15, 2023. This communication served as a preliminary alert regarding the security event. Vitality Group, which manages wellness and benefits programs, had recently informed bioMérieux of the incident, prompting this initial outreach.

By June 20, 2023, Vitality Group provided bioMérieux with updated information that detailed the specific categories of personal information that were accessed without authorization. This more complete assessment confirmed the scope of the compromised data. Based on the information provided by Vitality, the accessed data included highly sensitive personal information such as Social Security numbers and dates of birth. It also included specific health information, which encompassed medical procedure codes related to eligible member claims on bioMérieux's medical plan. Furthermore, health information from wellness screenings was compromised; this data included results for eligible members who completed their Vitality Check screenings through Health Advocate's on-site events or by using screening vouchers. The breach impacted not only the primary bioMérieux employees but also individuals from its affiliated entities, BioFire Defense, Transgene, and ABL, as well as their family members.

In response to the breach, bioMérieux immediately initiated a review of the information relating to the incident as soon as it was made available by Vitality Group. A primary containment action taken was the cessation of sharing team member personal data with Vitality. This halt in data sharing was to remain in effect while both Vitality’s internal investigation and bioMérieux’s own review of the data breach were ongoing. bioMérieux committed to continuing its monitoring of the situation and promised to provide a further update if any significant developments occurred. Although the breach did not involve any internal bioMérieux systems, the company issued an official notice of data breach dated May 31, 2023, which was later mailed to affected individuals, in the interest of transparency and an abundance of caution.

The remediation and support efforts for impacted individuals were managed by the responsible vendor, Vitality Group. Vitality partnered with Experian to offer two years of credit monitoring and identity theft insurance services to all impacted members and their impacted family members. Information on how to access these services was emailed directly to affected individuals by Vitality on June 16, 2023. For those who did not receive this communication or had additional questions, Vitality established a customer care hotline operated by Experian. Affected persons were instructed to call (800) 828-9572 with questions regarding the vulnerability, credit monitoring, identity theft protection, and related matters. bioMérieux directed its employees to its internal HR Support Hub team, available at (919) 620-2527 and [email protected], to answer benefits program-specific questions, while employees of BioFire Defense, Transgene, and ABL were instructed to contact their respective HR Business Partners.

The notice provided to individuals included extensive guidance on steps they could take to protect themselves, though these were presented as recommendations from authorities and not as actions taken by bioMérieux itself. Individuals were advised to remain vigilant by reviewing their account statements and credit reports for any suspicious activity. They were instructed to promptly notify the relevant financial institution and report any fraudulent activity or suspected identity theft to law enforcement authorities, including their state attorney general and the Federal Trade Commission (FTC). The FTC's complaint website, IdentityTheft.gov, and phone number, 1-877-ID-THEFT, were provided for this purpose. The notice also detailed methods for obtaining free annual credit reports from Equifax, Experian, and TransUnion through AnnualCreditReport.com. Furthermore, it explained the process of placing an initial 90-day fraud alert on a credit report at no charge by contacting any of the three major credit bureaus. The notice also described the option of placing a security freeze on credit files with each credit reporting agency, which, while free, could delay the application for new services requiring a credit check. The consequences of the breach were the potential exposure of highly sensitive personal and health data, creating a significant risk of identity theft and financial fraud for the affected individuals. The scope was confirmed to include current and former members of the bioMérieux benefits program and their family members, whose data was handled by the vendor. The incident was a third-party breach originating from the systems of Vitality Group, and bioMérieux's role was that of the data owner notifying its population of the disclosure caused by its business partner.