Incident Types: The types of cybersecurity incidents that have occurred include Breach.

Total Financial Loss: The total financial loss from these incidents is estimated to be $12.60 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an incident response plan activated with yes (post-breach), and third party assistance with yes (third-party hipaa security risk assessment), and containment measures with shortened email retention period, containment measures with enhanced mfa, containment measures with password policy updates, and remediation measures with security awareness training, remediation measures with audit mechanisms for weak passwords, remediation measures with third-party risk assessment, and communication strategy with class-action settlement notifications, communication strategy with regulatory disclosures (hhs, state ags)..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Phishing email (compromised shared inbox).

Average Financial Loss: The average financial loss per incident is $12.60 million.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Data, Enrollment Information, Sensitive Customer Records and .

Incident Response Plan: The company's incident response plan is described as Yes (post-breach).

Third-Party Assistance: The company involves third-party assistance in incident response through Yes (third-party HIPAA security risk assessment).

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Security awareness training, Audit mechanisms for weak passwords, Third-party risk assessment, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by shortened email retention period, enhanced mfa, password policy updates and .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Class-action lawsuit (settled 2026-01-07), NY DFS Consent Order (2022-10), NY AG Settlement (2022-01), 4-State AG Settlement (2023-05), .

Key Lessons Learned: The key lessons learned from past incidents are Shared inboxes with weak passwords are high-risk targets for phishing.,Prolonged data retention increases exposure in breaches.,MFA and password policies must be enforced rigorously in healthcare.,Regulatory non-compliance (e.g., HIPAA) amplifies financial and reputational damage.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Information Security Media Group (ISMG), and Source: NY DFS Consent Order (2022-10), and Source: NY AG Settlement (2022-01), and Source: 4-State AG Settlement (NJ, FL, PA, OR; 2023-05), and Source: HHS Breach Report (2020-09).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Class-Action Settlement Notifications, Regulatory Disclosures (Hhs and State Ags).

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Class-Action Settlement Notices, Regulatory Filings (Hhs, State Ags), Breach Notifications (2020), Settlement Claims Process (Up To $10,100 Per Affected Individual) and .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Enhanced Mfa And Password Policies, Third-Party Hipaa Security Risk Assessment, Reduced Email Retention Periods, Mandatory Security Awareness Training, Audit Mechanisms For Weak Passwords, .

Most Recent Incident Detected: The most recent incident detected was on 2020-09.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2020-09.

Highest Financial Loss: The highest financial loss from an incident was $12.6M+ (regulatory fines, settlements, and litigation costs).

Most Significant Data Compromised: The most significant data compromised in an incident were Personal Data, Sensitive Customer Information and .

Most Significant System Affected: The most significant system affected in an incident was Shared Employee Email Inbox (enrollment processing).

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Shortened email retention periodEnhanced MFAPassword policy updates.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Personal Data and Sensitive Customer Information.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 2.1M.

Highest Fine Imposed: The highest fine imposed for a regulatory violation was $12.6M+ ($4.5M NY DFS, $600K NY AG, $2.5M 4-state AG, $5M class-action).

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Class-action lawsuit (settled 2026-01-07), NY DFS Consent Order (2022-10), NY AG Settlement (2022-01), 4-State AG Settlement (2023-05), .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Regulatory non-compliance (e.g., HIPAA) amplifies financial and reputational damage.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enforce password complexity and rotation policies with audits., Implement strict MFA for all email accounts, especially shared inboxes., Limit data retention periods to minimize breach impact., Train employees on phishing awareness and incident reporting., Segment networks to isolate sensitive data (e.g., enrollment systems). and Conduct regular HIPAA security risk assessments with third-party auditors..

Most Recent Source: The most recent source of information about an incident are NY DFS Consent Order (2022-10), 4-State AG Settlement (NJ, FL, PA, OR; 2023-05), NY AG Settlement (2022-01), HHS Breach Report (2020-09) and Information Security Media Group (ISMG).

Current Status of Most Recent Investigation: The current status of the most recent investigation is Closed (settlements finalized; final court hearing on 2026-01-07).

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Class-action settlement notices, Regulatory filings (HHS, state AGs), .

Most Recent Customer Advisory: The most recent customer advisory issued were an Breach notifications (2020)Settlement claims process (up to $10 and100 per affected individual).

Most Recent Entry Point: The most recent entry point used by an initial access broker was an Phishing email (compromised shared inbox).