Edgepark Medical Supplies (EMS) learned on May 13, 2019 about the access of an unauthorized person into some accounts of its clients. That person modified their addresses in the account so that their orders will be redirected to other delivery addresses. When EMS discovered the potential breach, it deactivated the compromised accounts of its clients immediately.
The investigation into the incident proved that the accounts were accessed by means of brute force tactics or password spraying attack. In this method, the attacker uses automated, continuous attempts to guess the password to the accounts by keying in frequently used passwords and dictionary words.
When the attacker is able to guess the account password correctly, he/she changes the account owner’s shipping address. It’s likely that the attacker made orders without the Edgepark.com account holders knowing about it. The breach is still being investigated but EMS has made a statement that it will give refunds to clients who were billed for falsified orders.
Apart from making bogus orders using the compromised accounts of Edgepark.com clients, the hacker could have viewed or acquired their information such as their names, dates of birth, addresses, items ordered using the company website, and healthcare insurance details.
The HHS’ Office for Civil Rights announced this breach on its breach portal indicating that 6,572 Edgepark.com customers were affected. EMS is going over its security defenses to know what additional critical steps to take in order to keep breaches of the same nature at bay.
EMS already had three big breaches in 5 years time. The first was In 2014, when EMS had a malware attack, which was discovered after 9 months. The incident affected 4,230 patient. The second was in January 2018, where a mailing error resulted to the impermissible PHI disclosure of 4,586 patients. The third is the unauthorized access incident mentioned above.