Michigan healthcare provider Priority Health has suffered a data breach affecting about 120,000 members.

The data breach did not target the health provider directly but a third-party vendor, Warner Norcoss & Judd LLP. The breach occurred in October and is described in a press release as unauthorized activity involving some systems. Priority Health is Michigan’s second-largest health plan provider and serves more than 1 million members every year.

The data potentially accessed includes names, pharmacy and claim information, drug names and prescription dates from prescriptions filled in 2012. There is no evidence that the potentially stolen data has been misused or shared online, according to Warner Norcoss & Judd LLP.

The Priority Health data breach was revealed at around the same that Texas-based health provider BHG Holdings LLC also disclosed a data breach. The Behavioral Health Group breach occurred in December and the full extent of the breach was only known fully in June. As with Priority Health, personal health information is believed to have been accessed and potentially stolen.

“This incident serves as a reminder of the threats that can originate from even the most trusted of business partners, and the importance of being able to identify unusual behavior originating from these partners,” Erich Kron, security awareness advocate at security awareness training company  KnowBe4 Inc., told SiliconANGLE. “While the data may seem quite dated, the specifics and amount of data involved in the compromise could very easily be used by social engineers to attack those whose data has been compromised.”

Chris Clements, vice president of solutions architecture at information technology service management company Cerberus Cyber Sentinel Corp., noted that cybersecurity risk from third parties has risen to a level that no organization can afford to neglect it.

“In this case, a large amount of Priority Health’s customer data was compromised and they were only notified over half a year later,” Clements explained. “During this period, cybercriminals could have used the personal info to conduct fraud or identity theft or leverage the information to construct compelling social engineering campaigns targeting the victims directly. Worse, without being notified, neither Priority Health nor their customers could take proactive action to protect themselves from these attacks.”

Image: Priority Health