Dive Brief:
- Orasure Technologies said Friday that an unauthorized third party gained access to its data at the end of March.
- Certain files were taken, and the diagnostic company was investigating the extent of any sensitive information in the accessed systems as of Friday.
- Orasure believes it has contained the incident and “preserved the integrity of its core financial and operational systems,” according to a filing with the U.S. Securities and Exchange Commission. The company does not expect the incident to have a material impact on its business.
Dive Insight:
Orasure provided an overview of events in a statement for investors. On “or about” March 27, the company became aware of a cybersecurity incident. An unauthorized third party gained access to Orasure data from certain information systems.
The company then initiated response protocols, started an investigation with the help of cybersecurity experts and external counsel, and notified law enforcement. While Orasure believes it has contained the incident, it was still assessing “what, if any, regulatory and legal notifications are required.” The findings of an investigation into the incident and whether personal data was accessed will inform the next steps.
Orasure described its cybersecurity approach in a March annual financial filing. The company, which sees cybersecurity as a critical business risk, has an information security management system designed to protect the company, employees and customers from cybersecurity threats. The system is informed by the National Institute of Standards and Technology Cybersecurity Framework.
“Our cybersecurity risk management program includes a number of components, including informal self-assessments, penetration testing and vulnerability assessments,” the company said. “Our managed security services provider helps us implement additional security controls, including malware protection and network security tools.”
Discussing its exposure to cybersecurity risks, Orasure said it has “outsourced significant elements of its IT infrastructure and, as a result, it manages relationships with third-party providers who may or could have access to the company's sensitive and confidential information.” Orasure said it takes “a risk-based approach to the evaluation of third-party vendors.”
At the time of the annual filing, the company said it “has in the past and may in the future experience cybersecurity incidents.” Orasure added that none of the cybersecurity incidents or threats identified at that time “have materially affected us or are reasonably likely to materially affect us.”
