Waystar

The Kentucky Attorney General disclosed a data breach at Waystar, a healthcare technology company, which occurred on October 24–25, 2023, due to a coding error. The incident exposed personal information of patients, including names, addresses, and account numbers, though the exact number of affected individuals remains undisclosed. While no evidence suggests misuse of the compromised data, the breach poses risks such as identity theft or financial fraud. In response, Waystar has enhanced security protocols and is providing one year of free identity and credit monitoring via NortonLifeLock to impacted individuals. The breach underscores vulnerabilities in healthcare data systems, particularly when human errors in coding lead to unauthorized access. No ransomware or malicious external attack was reported, but the exposure of patient data even without confirmed exploitation raises concerns over privacy violations and potential reputational damage for the company.

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/816d2b14-0003-4dce-bae5-c87666321ea9.shtml

TPRM report: https://www.rankiteo.com/company/waystar

"id": "way405090725",
"linkid": "waystar",
"type": "Breach",
"date": "10/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Unknown',
                        'industry': 'Healthcare Revenue Cycle Management',
                        'name': 'Waystar',
                        'type': 'Healthcare Technology Company'}],
 'attack_vector': 'Coding Error',
 'customer_advisories': 'One year of complimentary identity and credit '
                        'monitoring services through NortonLifeLock',
 'data_breach': {'number_of_records_exposed': 'Unknown',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (PII including names, addresses, '
                                        'account numbers)',
                 'type_of_data_compromised': ['Personal Information']},
 'date_publicly_disclosed': '2023-12-20',
 'description': 'The Kentucky Attorney General reported a data breach '
                'involving Waystar on December 20, 2023. The breach, which '
                'occurred due to a coding error on October 24-25, 2023, '
                'affected personal information including names, addresses, and '
                'account numbers of patients, though the number of individuals '
                'affected is unknown. Waystar has implemented additional '
                'security measures and is offering one year of complimentary '
                'identity and credit monitoring services through '
                'NortonLifeLock.',
 'impact': {'data_compromised': ['names', 'addresses', 'account numbers'],
            'identity_theft_risk': 'High (personal information exposed)'},
 'post_incident_analysis': {'corrective_actions': 'Additional security '
                                                  'measures implemented',
                            'root_causes': 'Coding error'},
 'references': [{'source': 'Kentucky Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': 'Kentucky Attorney '
                                                       'General'},
 'response': {'incident_response_plan_activated': 'Yes (additional security '
                                                  'measures implemented)',
              'remediation_measures': 'Additional security measures',
              'third_party_assistance': 'NortonLifeLock (identity and credit '
                                        'monitoring services)'},
 'title': 'Waystar Data Breach Due to Coding Error',
 'type': 'Data Breach'}