On November 18, 2023, the Vermont Office of the Attorney General disclosed a data breach affecting Stanford Health Care’s group health plans. The incident stemmed from unauthorized access to a **MOVEit Transfer server**, discovered on **August 11, 2023**, though the breach itself occurred earlier on **May 30, 2023**. The attack exposed **personal information** of an unspecified number of individuals, including potentially sensitive health-related data tied to the group health plans. While the exact scope of compromised data (e.g., medical records, financial details, or identifiers) was not specified, the breach involved a third-party file transfer tool widely exploited in 2023 by cybercriminals. The delay in detection suggests a sophisticated intrusion, likely leveraging a **zero-day vulnerability** in MOVEit. As a healthcare provider, Stanford Health Care handles highly regulated data under **HIPAA**, making the exposure particularly critical. The breach underscores risks associated with third-party vendor vulnerabilities and the broader implications for patient trust and regulatory compliance.
TPRM report: https://www.rankiteo.com/company/stanford-health-care
"id": "sta1008091725",
"linkid": "stanford-health-care",
"type": "Breach",
"date": "5/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Stanford Health Care',
'type': 'Healthcare Provider'},
{'industry': 'Legal/Regulatory',
'location': 'Vermont, USA',
'name': 'Vermont Office of the Attorney General '
'(Reporting Entity)',
'type': 'Government Agency'}],
'attack_vector': 'Exploitation of MOVEit Transfer Server Vulnerability',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (Personal Information)',
'type_of_data_compromised': ['Personal Information']},
'date_detected': '2023-08-11',
'date_publicly_disclosed': '2023-11-18',
'description': 'On November 18, 2023, the Vermont Office of the Attorney '
'General reported a data breach involving the group health '
'plans of Stanford Health Care. The breach was discovered on '
'August 11, 2023, after unauthorized access to a MOVEit '
'Transfer server occurred on May 30, 2023, potentially '
'impacting personal information of an unspecified number of '
'individuals.',
'impact': {'data_compromised': True,
'identity_theft_risk': True,
'systems_affected': ['MOVEit Transfer Server']},
'initial_access_broker': {'entry_point': 'MOVEit Transfer Server',
'high_value_targets': ['Personal Information of '
'Group Health Plan Members']},
'post_incident_analysis': {'root_causes': ['Exploitation of Unpatched MOVEit '
'Transfer Vulnerability']},
'references': [{'date_accessed': '2023-11-18',
'source': 'Vermont Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Vermont Office of the '
'Attorney General']},
'title': 'Data Breach Involving Stanford Health Care Group Health Plans via '
'MOVEit Transfer Server',
'type': 'Data Breach',
'vulnerability_exploited': 'MOVEit Transfer (CVE-2023-34362 or related)'}