Third-party data breach round-up: mscripts, Diligent, Mailchimp

This month, more than 114,000 individuals may have experienced personally identifiable information and protected health information exposures from these incidents, while an email marketing hack is a new source for phishing attacks.

Medication adherence platform mscripts breached

On January 17, mscripts, a cloud-based mobile pharmacy platform that focuses on patient engagement and medication adherence solutions, reported to the U.S. Department of Health and Human Services unauthorized access/disclosure that involved protected health information of 66,372 individuals, according to the Office for Civil Rights cases under investigation list.

The San Francisco-based platform, owned by Dublin, Ohio-based Cardinal Health, uses interactive SMS messaging and branded mobile apps to provide dosage and refill reminders and other prescription management functions. 

It has partnerships across the healthcare space and customers include retailers like Kmart and Wegmans, and providers like Intermountain Healthcare, Banner Health and the Henry Ford Health System.

Mscripts and Cardinal Health have not posted data breach notices to their websites.

The mscripts privacy policy on Henry Ford’s website indicates that PII, as well as PHI, may be collected by mscripts from users and their pharmacies. 

Diligent Corporation announced PII compromised, exposed UCHealth data

According to a UCHealth announcement posted to its website January 17, “Diligent provides hosted services to UCHealth and reported to UCHealth that Diligent’s software was accessed and attachments were downloaded including UCHealth files.”

The Colorado-based healthcare provider noted that electronic medical records and email systems were not part of the breach, but “some of UCHealth’s patient, provider or employee data may have been included in this incident.” 

UCHealth reported to OCR that 48,879 individuals were affected by the hacking incident, according to the agency.

The medical provider said the stolen data may have included:

  • Name.
  • Address.
  • Date of birth.
  • Treatment-related information.
  • Social Security numbers.
  • Other financial information.

Mailchimp’s second social engineering attack, CloudSEK reports leaked API keys

Mailchimp announced on its website that on January 11 it identified an unauthorized actor had compromised administration tools and accessed 133 accounts, exposing customer data, through a second social engineering attack on the company in six months. 

The email marketing service provider temporarily suspended those accounts to protect user data. 

Mailchimp was first breached in April 2022, and threat actors were able to view around 300 user accounts and obtain audience data from 102 of them, as reported by the chief information security officer to the HHS cybersecurity program. 

As a result, HC3 warned healthcare organizations of phishing campaigns leveraged by the email marketing platform. 

While it is not a HIPAA-covered entity with a business associate agreement, a number of medical practice management applications integrate with Mailchimp, and a number of mail marketing service providers for doctors and providers work with Malchimp, Constant Contact and other email marketing platforms.

In the previous social engineering attack in August, Mailchimp specified that the 214 accounts affected were largely cryptocurrency and finance organizations.

However, DigitalOcean, a large cloud provider across industries, including healthcare, confirmed its clients had been affected by malicious password resets, and the provider migrated email services away from the platform.

Also, CloudSEK’s BeVigil research team released a December report that API keys for Mailchimp, along with Mailgun and Sendgrid, had been leaked, potentially allowing threat actors access to email conversations and potentially sensitive information.

“An API key leak in Mailchimp would allow a threat actor to read conversations, fetch customer information, expose email lists of multiple campaigns containing [PII], authorize third-party applications connected to a MailChimp account, manipulate promo codes and start a fake campaign and send emails on behalf of the company,” according to Business Standard’s coverage of the report.

Andrea Fox is senior editor of Healthcare IT News.
Email: af**@***ss.org

Healthcare IT News is a HIMSS publication.

Read More
Christeen Damron

Latest

3 Reasons to Apply for Inc.’s Power Partner Awards

Please enable JS and disable any ad blocker

World Cup betting markets shift after Jordan Henderson’s bizarre celebration injury

Jordan Henderson, the 36-year-old England midfielder, will miss the remainder of the 2026 FIFA World Cup after suffering a serious wrist and forearm injury during post-match celebrations on July 6. He wasn’t even playing when it happened. Henderson was an unused substitute in England’s dramatic 3-2 victory over Mexico in the round of 16. The

Kraken’s World Cup debut and Brazil’s collapse: what crypto gets from the beautiful game

Brazil came into the 2026 World Cup as one of the tournament favorites. They left in the Round of 16, beaten 2-1 by Norway, undone in part by a tactical decision that raised eyebrows across the footballing world: deploying 34-year-old Casemiro as a central striker, a position he hadn’t occupied in years. Haaland scored both

FIFA overturns Balogun’s red card, Trump intervenes for US World Cup match

https://www.nytimes.com/athletic/7424790/2026/07/06/folarin-balogun-red-belgium-explanation/ FIFA’s Disciplinary Committee has overturned the red card suspension of Folarin Balogun, a key player for the U.S. Men’s National Team, allowing him to participate in the upcoming Round of 16 match against Belgium. This decision, made under Article 27 of the FIFA Disciplinary Code, places Balogun on a one-year probationary period, enabling him

Newsletter

Don't miss

3 Reasons to Apply for Inc.’s Power Partner Awards

Please enable JS and disable any ad blocker

World Cup betting markets shift after Jordan Henderson’s bizarre celebration injury

Jordan Henderson, the 36-year-old England midfielder, will miss the remainder of the 2026 FIFA World Cup after suffering a serious wrist and forearm injury during post-match celebrations on July 6. He wasn’t even playing when it happened. Henderson was an unused substitute in England’s dramatic 3-2 victory over Mexico in the round of 16. The

Kraken’s World Cup debut and Brazil’s collapse: what crypto gets from the beautiful game

Brazil came into the 2026 World Cup as one of the tournament favorites. They left in the Round of 16, beaten 2-1 by Norway, undone in part by a tactical decision that raised eyebrows across the footballing world: deploying 34-year-old Casemiro as a central striker, a position he hadn’t occupied in years. Haaland scored both

FIFA overturns Balogun’s red card, Trump intervenes for US World Cup match

https://www.nytimes.com/athletic/7424790/2026/07/06/folarin-balogun-red-belgium-explanation/ FIFA’s Disciplinary Committee has overturned the red card suspension of Folarin Balogun, a key player for the U.S. Men’s National Team, allowing him to participate in the upcoming Round of 16 match against Belgium. This decision, made under Article 27 of the FIFA Disciplinary Code, places Balogun on a one-year probationary period, enabling him

UK Foreign Secretary Warns World Cannot Wait for ‘AI Hiroshima’ Before Acting

UK Foreign Secretary Yvette Cooper has warned that the world cannot wait for an AI equivalent of Hiroshima before acting, urging global powers to build consensus on artificial intelligence (AI) safety principles and standards. Cooper made the case in an essay, positioning Britain to lead international talks on the technology. ...

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom