Xsolis and Rochester Regional Health: Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Xsolis and Rochester Regional Health: Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Rochester Regional Health Patients Receive Confusing Breach Notifications After Vendor Incident

Patients of Rochester Regional Health recently received mailed notifications regarding a data breach linked to a third-party vendor, Xsolis a case and utilization management services provider previously used by the healthcare system. The breach, discovered by the vendor, exposed sensitive patient information, though the hospital itself was not directly compromised.

The notifications sparked confusion and skepticism among recipients due to several errors. The letters incorrectly identified the facility as "Rochester Regional Medical Center" instead of its proper name, Rochester Regional Health. Many recipients initially dismissed the notices as scams, particularly given the hospital’s history of prior breaches in 2020 and 2023.

Rochester Regional Health later confirmed the legitimacy of the breach notifications, attributing the miscommunication to the vendor’s handling of the incident. The incident highlights ongoing challenges in third-party risk management and the importance of clear, accurate breach disclosures in maintaining patient trust.

Source: https://www.securitymagazine.com/articles/102376-error-in-breach-notice-leaves-victims-confused-skeptical

Rochester Regional Health cybersecurity rating report: https://www.rankiteo.com/company/rochesterregionalhealth

Xsolis cybersecurity rating report: https://www.rankiteo.com/company/xsolis

"id": "ROCXSO1781634267",
"linkid": "rochesterregionalhealth, xsolis",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Patients',
                        'industry': 'Healthcare',
                        'location': 'Rochester, New York',
                        'name': 'Rochester Regional Health',
                        'type': 'Healthcare System'},
                       {'industry': 'Case and Utilization Management Services',
                        'name': 'Xsolis',
                        'type': 'Third-Party Vendor'}],
 'attack_vector': 'Third-Party Vendor Compromise',
 'customer_advisories': 'Mailed notifications to patients',
 'data_breach': {'personally_identifiable_information': 'Likely included',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Sensitive patient information'},
 'description': 'Patients of Rochester Regional Health received mailed '
                'notifications regarding a data breach linked to a third-party '
                'vendor, Xsolis. The breach exposed sensitive patient '
                'information, though the hospital itself was not directly '
                'compromised. The notifications contained errors, leading to '
                'confusion and skepticism among recipients.',
 'impact': {'brand_reputation_impact': 'Negative impact due to errors in '
                                       'notifications and prior breach history',
            'customer_complaints': 'Confusion and skepticism among recipients',
            'data_compromised': 'Sensitive patient information',
            'identity_theft_risk': 'Potential risk due to exposure of '
                                   'sensitive patient information'},
 'lessons_learned': 'Ongoing challenges in third-party risk management and the '
                    'importance of clear, accurate breach disclosures in '
                    'maintaining patient trust.',
 'post_incident_analysis': {'root_causes': 'Third-party vendor (Xsolis) '
                                           'breach, miscommunication in breach '
                                           'notifications'},
 'references': [{'source': 'Cyber Incident Description'}],
 'response': {'communication_strategy': 'Mailed notifications with errors, '
                                        'later confirmed by Rochester Regional '
                                        'Health'},
 'title': 'Rochester Regional Health Patients Receive Confusing Breach '
          'Notifications After Vendor Incident',
 'type': 'Data Breach'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.