Cyber Incident Victim: Edgepark Medical Supplies
Date:
May 2019
Location:
United States of America
Summary
Edgepark Medical Supplies experienced a password spray attack involving unauthorized access to customer accounts, where attackers altered shipping addresses and redirected orders. The breach potentially exposed personal information including names, dates of birth, addresses, purchased products, and health insurance details, though Social Security numbers and financial data remained unaffected. The company disabled compromised accounts, issued refunds for fraudulent charges, notified law enforcement, and implemented enhanced security measures. Approximately 6,572 individuals were notified due to unusual account activity, with the incident marking the third known security breach for the organization following prior malware and insider-related compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or about May 13, 2019, Edgepark Medical Supplies detected unauthorized changes to shipping addresses in a small number of customer accounts on their Edgepark.com platform, resulting in orders being diverted to incorrect locations. The company initiated an immediate investigation, which revealed that the incident stemmed from a password spray attack—a method where attackers systematically attempt common passwords across multiple accounts using automated tools. This technique allowed unauthorized individuals to potentially access customer accounts, though Edgepark confirmed the attackers did not compromise Social Security numbers, credit card information, or other financial data. The investigation determined that exposed information could include customer names, dates of birth, physical addresses, details of purchased medical supplies, and health insurance details. A total of 6,572 patients were identified as potentially impacted by the unusual account activity. Edgepark emphasized that the breach was confined to their online customer portal and did not affect internal corporate systems or payment processing infrastructure.
In response, Edgepark temporarily disabled web access to the compromised accounts and issued refunds to customers charged for orders shipped to fraudulent addresses. The company notified law enforcement agencies and implemented additional security controls to reduce future risks, though specific technical measures were not disclosed. Impacted individuals received direct notifications, and Edgepark established a dedicated phone line for customer inquiries. This incident marked Edgepark’s third major breach disclosure since 2013, following a 2013 malware incident affecting 4,230 patients and a 2018 insider error exposing data of 4,586 patients. The 2019 attack underscored persistent external threats to their customer-facing systems, though no evidence suggested data misuse beyond the observed shipping diversions. Edgepark’s public statement acknowledged the breach’s potential inconvenience but reaffirmed their commitment to safeguarding personal information.