American Israel Public Affairs Committee (AIPAC)
February 6, 2025
•[ data leak, third-party breach ]
AIPAC reported that a criminal cyberattack on a third party led to unauthorized access to files on its own information systems from October 2024 through February 2025 and a review later determined that personal identifiers for 810 individuals had been taken prompting notification letters and additional security controls
Grubhub
January 25, 2025
•[ data leak, third-party breach ]
Grubhub disclosed that a third-party vendor account was compromised, allowing limited access to contact and partial payment information for customers, drivers, and merchants. Full card, bank, and SSN data were not accessed. No attribution to a specific threat group. Incident contained.
Health Service Executive (HSE) – primary care services, Midlands (third-party processor)
January 2, 2025
•[ ransomware, data breach, third-party breach ]
DataBreaches summarized reporting that the Irish Health Service Executive confirmed a second ransomware attack occurred in February 2025, targeting a third-party processor and resulting in a data protection breach reported by HSE primary care services in the Midlands. The HSE stated there was no evidence that patients data was stolen in the incident, and the brief report did not describe prolonged operational disruption or specify what systems were encrypted. Based on the confirmation of a ransomware incident affecting a processor, this is coded as a disruptive event with limited publicly available detail on scope and duration.
Carruth Compliance Consulting
December 19, 2024
•[ data leak, third-party breach ]
Third-Party Retirement Plan Administrator Reported December Intrusion Exfiltrating School Employee Data.
Beacon Health Three Rivers
December 2, 2024
•[ unauthorized access, third-party breach ]
Vendor Cps Solutions reported unauthorized email access Dec 24; hospital notified patients.
Concord Orthopaedics
November 21, 2024
•[ data leak, third-party breach ]
Vendor breach exposed patient Pii/phi; notifications sent months after discovery.
Biomedical Caledonia Medical Laboratory
November 1, 2024
•[ data leak, hacked, third-party breach ]
In November 2024, unauthorized actors accessed Biomedical Caledonia Medical Laboratorys systems through an external vendor, prompting an investigation and cybersecurity upgrades. The lab confirmed the intrusion but did not disclose specific data types or quantities affected. No evidence of encryption or operational disruption has been reported.
Gold Coast Health Plan
October 21, 2024
•[ data leak, third-party breach, account takeover ]
Gold Coast Health Plan reported that a contracted vendor (Conduent Business Solutions) suffered a cyberattack involving compromise of a single employee email account, which allowed unauthorized access to certain files during a window from Oct. 21, 2024 to Jan. 13, 2025. The vendor discovered the incident on Jan. 13, 2025 and began an investigation with law enforcement notification. A later forensic review determined that information for 540 plan members could have been exposed, listing specific claim-related and membership data elements; the release stated that Social Security numbers and financial information were not accessed or disclosed.
Phoenix Rehabilitation & Nursing Center
July 20, 2024
•[ data leak, third-party breach ]
Third-party vendor breach exposed PHI/PII for Phoenix Rehab; access confirmed July 20, 2024; notifications sent Jan 28, 2025.
Harbin Clinic
July 1, 2024
•[ data leak, third-party breach ]
Third-party breach at Nationwide Recovery Services (July 2024) led to theft of Harbin Clinic patient data; disclosures and notifications in May 2025.
Lee University
March 22, 2024
•[ data leak, third-party breach ]
University filed notices after third-party software exploit enabled data access.
