Bon Secours
Company Details
Linkedin ID:
bon-secours-health-system
Website:
Employees number:
9,938
Number of followers:
62,231
NAICS:
62
Industry Type:
Homepage:
bonsecours.com
IP Addresses:
0
Company ID:
BON_1974226
Scan Status:
In-progress
Bon Secours Company CyberSecurity Posture
bonsecours.com
Bon Secours Health System, Inc. based in Marriottsville, Maryland, is a $3.2 billion dollar not-for-profit Catholic health system that owns, manages or joint ventures 18 acute care, 5 long term care, 4 assisted living, 6 retirement communities/senior housing, 14 home care and hospice services, and other facilities, primarily on the East Coast. Bon Secours Health System consists of more than 24,000 caregivers helping people in seven states. Its vision is to be a prophetic Catholic health ministry partnering with communities to create a more humane world, build health and social justice and provide exceptional value for those served.
Bon Secours A.I CyberSecurity Scoring
Bon Secours Risk Score (AI oriented)Between 750 and 799
Bon Secours
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Bon Secours Global Score (TPRM)XXXX
Bon Secours
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Bon Secours Company CyberSecurity News & History
Past Incidents
2
Attack Types
1
Bon Secours Health System, Inc.
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The California Office of the Attorney General disclosed a data breach affecting **Bon Secours Health System, Inc.** in August 2016. The incident occurred between **April 18–21, 2016**, when a third-party vendor, **R-C Healthcare Management**, inadvertently left files containing sensitive patient data exposed on the internet. The compromised information included **names, health insurance details, Social Security numbers, and clinical records** of unspecified individuals. The breach stemmed from misconfigured access controls, allowing unauthorized exposure of protected health information (PHI). While the exact number of affected patients was not specified, the exposure posed significant risks of identity theft, financial fraud, and privacy violations. The vendor’s negligence in securing the data led to potential long-term repercussions for the impacted individuals, including reputational harm to Bon Secours and regulatory scrutiny under healthcare data protection laws like **HIPAA**. No evidence of malicious exploitation was confirmed, but the unauthorized accessibility alone constituted a severe lapse in data security protocols.
Bon Secours
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after that 655,000 patients health information were exposed as a result of an error made by one of its business associates. The compromised information included names, social security numbers, insurance and banking information, and some clinical data. Bon Secours conducted a two-month internal investigation of the incident, and offered a year of credit monitoring and identity theft protection services without charge.
Bon Secours Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Bon Secours
Incidents vs Hospitals and Health Care Industry Average (This Year)
No incidents recorded for Bon Secours in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Bon Secours in 2025.
Incident Types Bon Secours vs Hospitals and Health Care Industry Avg (This Year)
No incidents recorded for Bon Secours in 2025.
Incident History — Bon Secours (X = Date, Y = Severity)
Bon Secours cyber incidents detection timeline including parent company and subsidiaries
Bon Secours Company Subsidiaries
Bon Secours Health System, Inc. based in Marriottsville, Maryland, is a $3.2 billion dollar not-for-profit Catholic health system that owns, manages or joint ventures 18 acute care, 5 long term care, 4 assisted living, 6 retirement communities/senior housing, 14 home care and hospice services, and other facilities, primarily on the East Coast. Bon Secours Health System consists of more than 24,000 caregivers helping people in seven states. Its vision is to be a prophetic Catholic health ministry partnering with communities to create a more humane world, build health and social justice and provide exceptional value for those served.
Loading...
Bon Secours Similar Companies
Baptist Health
Baptist Health South Florida is the largest healthcare organization in the region, with 12 hospitals, more than 28,000 employees, 4,500 physicians and 200 outpatient centers, urgent care facilities and physician practices spanning Miami-Dade, Monroe, Broward and Palm Beach counties. Baptist Health S
Johnson & Johnson MedTech
At Johnson & Johnson MedTech, we are working to solve the world’s most pressing healthcare challenges through innovations at the intersection of biology and technology. With deep expertise in surgery, orthopaedics, cardiovascular, and vision, we design healthcare solutions that are smarter, less inv
Community Health Systems is one of the nation’s leading healthcare providers. Developing and operating healthcare delivery systems across 14 states, CHS is committed to helping people get well and live healthier. CHS affiliates operate 70 acute-care hospitals and more than 1,000 other sites of care,
Providence
Every day, 119,000 compassionate caregivers serve patients and communities through Providence St. Joseph Health, a national, Catholic, not-for-profit health system, driven by a belief that health is a human right. Rooted in the founding missions of the Sisters of Providence and the Sisters of St.
A national blended health organization, Highmark Health and our leading businesses support millions of customers with products, services and solutions closely aligned to our mission of creating remarkable health experiences, freeing people to be their best. Headquartered in Pittsburgh, we're region
University of Maryland Medical System
The University of Maryland Medical System (UMMS) was created in 1984 when the state-owned University Hospital became a private, nonprofit organization. It has evolved into a multi-hospital system with academic, community and specialty service missions reaching every part of the state and beyond. UM
Mayo Clinic has expanded and changed in many ways, but our values remain true to the vision of our founders. Our primary value – The needs of the patient come first – guides our plans and decisions as we create the future of health care. Join us and you'll find a culture of teamwork, professionalism
MultiCare Health System
MultiCare’s roots in the Pacific Northwest go back to 1882, with the founding of Tacoma’s first hospital. Over the years, we’ve grown from a Tacoma-centric, hospital-based organization into the largest, community-based, locally governed health system in the state of Washington. Today, our comprehe
Siemens Healthineers
Siemens Healthineers is a leading medtech company with over 125 years of experience. We pioneer breakthroughs in healthcare. For everyone. Everywhere. Sustainably. Our portfolio, spanning in vitro and in vivo diagnostics to image-guided therapy and cancer care, is crucial for clinical decision-makin
.png)
Bon Secours CyberSecurity News
November 01, 2025 11:31 AM
Bon Secours completes downtown Greenville campus renovation
Bon Secours St. Francis has completed renovations that expand its critical care and medical/surgical services on the downtown campus.
July 31, 2025 07:00 AM
Here’s who’s pledged to improve medical data sharing
Dozens of organizations, including 11 health systems, have agreed to work together to help improve the sharing of medical data across...
June 08, 2025 07:00 AM
48 CIOs On the Move
We're highlighting a new wave of CIOs, CTOs, and CISOs taking on pivotal leadership roles across healthcare, technology, finance, and beyond.
April 16, 2025 07:00 AM
hellocare.ai scores $47M for AI-enabled virtual care for smart hospitals
The hospital-focused telehealth and virtual care delivery company, which currently works with more than 70 health systems,...
October 21, 2024 07:00 AM
Bon Secours Mercy Health Hit With Class Action Over Data Breach
Ohio-based Bon Secours Mercy Health Inc. failed to protect the personal information of thousands of people that was exposed in a data breach.
October 11, 2024 07:00 AM
Bon Secours Mercy Health Data Breach Investigation
Strauss Borrelli PLLC, a leading data breach law firm, is investigating Bon Secours Mercy Health, regarding its recent data breach.
October 09, 2024 07:00 AM
PHOTOS: Hundreds Of Students Attend MTU Careers Fair
The Munster Technological University hosted its Kerry Careers Fair on Tuesday in the Kerry Sports Academy at MTU's Kerry North Campus in Tralee.
January 23, 2024 08:00 AM
Bon Secours Mercy Health, vendor hit with lawsuit after data breach
The suit alleges the health system and a vendor failed to implement standards or promptly alert people whose data may have been exposed following a cyberattack.
January 22, 2024 08:00 AM
Bon Secours Mercy Health sued over data breach
A lawsuit related to a wide-ranging healthcare data breach affecting nearly 9 million people last year has been filed against Bon Secours Mercy Health System.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Bon Secours CyberSecurity History Information
Official Website of Bon Secours
The official website of Bon Secours is http://www.bonsecours.com.
Bon Secours’s AI-Generated Cybersecurity Score
According to Rankiteo, Bon Secours’s AI-generated cybersecurity score is 758, reflecting their Fair security posture.
How many security badges does Bon Secours’ have ?
According to Rankiteo, Bon Secours currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Bon Secours have SOC 2 Type 1 certification ?
According to Rankiteo, Bon Secours is not certified under SOC 2 Type 1.
Does Bon Secours have SOC 2 Type 2 certification ?
According to Rankiteo, Bon Secours does not hold a SOC 2 Type 2 certification.
Does Bon Secours comply with GDPR ?
According to Rankiteo, Bon Secours is not listed as GDPR compliant.
Does Bon Secours have PCI DSS certification ?
According to Rankiteo, Bon Secours does not currently maintain PCI DSS compliance.
Does Bon Secours comply with HIPAA ?
According to Rankiteo, Bon Secours is not compliant with HIPAA regulations.
Does Bon Secours have ISO 27001 certification ?
According to Rankiteo,Bon Secours is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Bon Secours
Bon Secours operates primarily in the Hospitals and Health Care industry.
Number of Employees at Bon Secours
Bon Secours employs approximately 9,938 people worldwide.
Subsidiaries Owned by Bon Secours
Bon Secours presently has no subsidiaries across any sectors.
Bon Secours’s LinkedIn Followers
Bon Secours’s official LinkedIn profile has approximately 62,231 followers.
NAICS Classification of Bon Secours
Bon Secours is classified under the NAICS code 62, which corresponds to Health Care and Social Assistance.
Bon Secours’s Presence on Crunchbase
No, Bon Secours does not have a profile on Crunchbase.
Bon Secours’s Presence on LinkedIn
Yes, Bon Secours maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/bon-secours-health-system.
Cybersecurity Incidents Involving Bon Secours
As of November 27, 2025, Rankiteo reports that Bon Secours has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Bon Secours has an estimated 30,008 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Bon Secours ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Bon Secours detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with public disclosure via california office of the attorney general..
Incident Details
Can you provide details on each incident ?
Title: Bon Secours Health System Data Breach
Description: Bon Secours Health System, based in Marriottsville, Md., suffered from a data breach incident after 655,000 patients health information were exposed as a result of an error made by one of its business associates.
Type: Data Breach
Title: Bon Secours Health System, Inc. Data Breach (2016)
Description: The California Office of the Attorney General reported a data breach involving Bon Secours Health System, Inc. on August 12, 2016. The breach, which occurred between April 18, 2016, and April 21, 2016, was due to files containing patient information being inadvertently left accessible via the internet by the vendor R-C Healthcare Management, potentially affecting the names, health insurance information, social security numbers, and clinical information of unspecified individuals.
Date Detected: 2016-04-21
Date Publicly Disclosed: 2016-08-12
Type: Data Breach
Attack Vector: Inadvertent Exposure (Misconfigured Internet-Accessible Files)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach BON341622
Data Compromised: Names, Social security numbers, Insurance information, Banking information, Clinical data
Incident : Data Breach BON158082125
Data Compromised: Names, Health insurance information, Social security numbers, Clinical information
Identity Theft Risk: High (PII and SSNs exposed)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Information, Financial Information, Clinical Data, , Personally Identifiable Information (Pii), Protected Health Information (Phi) and .
Which entities were affected by each incident ?
Incident : Data Breach BON341622
Entity Name: Bon Secours Health System
Entity Type: Healthcare Provider
Industry: Healthcare
Location: Marriottsville, Md.
Customers Affected: 655000
Incident : Data Breach BON158082125
Entity Name: Bon Secours Health System, Inc.
Entity Type: Healthcare Provider
Industry: Healthcare
Location: California, USA (and other regions where Bon Secours operates)
Customers Affected: Unspecified (patients)
Incident : Data Breach BON158082125
Entity Name: R-C Healthcare Management
Entity Type: Vendor
Industry: Healthcare Management
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach BON158082125
Communication Strategy: Public disclosure via California Office of the Attorney General
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach BON341622
Type of Data Compromised: Personal information, Financial information, Clinical data
Number of Records Exposed: 655000
Sensitivity of Data: High
Incident : Data Breach BON158082125
Type of Data Compromised: Personally identifiable information (pii), Protected health information (phi)
Sensitivity of Data: High
Data Exfiltration: Potential (files left accessible via internet)
Personally Identifiable Information: NamesSocial Security NumbersHealth Insurance InformationClinical Information
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach BON158082125
Regulations Violated: Potential HIPAA (Health Insurance Portability and Accountability Act) violations, California Data Breach Notification Law (if applicable),
Regulatory Notifications: California Office of the Attorney General
References
Where can I find more information about each incident ?
Incident : Data Breach BON158082125
Source: California Office of the Attorney General
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: California Office of the Attorney General.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach BON341622
Investigation Status: Internal investigation conducted for two months
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public disclosure via California Office of the Attorney General.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach BON341622
Customer Advisories: Offered a year of credit monitoring and identity theft protection services without charge
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was Offered a year of credit monitoring and identity theft protection services without charge.
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach BON158082125
Root Causes: Misconfiguration by third-party vendor (R-C Healthcare Management) leading to unintended exposure of sensitive files over the internet.
Additional Questions
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2016-04-21.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2016-08-12.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were names, social security numbers, insurance information, banking information, clinical data, , Names, Health Insurance Information, Social Security Numbers, Clinical Information and .
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Names, Social Security Numbers, Clinical Information, social security numbers, insurance information, Health Insurance Information, clinical data, names and banking information.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 655.0.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident is California Office of the Attorney General.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Internal investigation conducted for two months.
Stakeholder and Customer Advisories
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Offered a year of credit monitoring and identity theft protection services without charge.
.png)
Latest Global CVEs (Not Company-Specific)
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Risk Information
cvss4
Base: 7.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
- https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
- https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
- https://github.com/angular/angular/releases/tag/19.2.16
- https://github.com/angular/angular/releases/tag/20.3.14
- https://github.com/angular/angular/releases/tag/21.0.1
- https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Risk Information
cvss4
Base: 6.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Description
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=bon-secours-health-system' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
