We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.

HEALTHCARE
$5.5M HIPAA Deal Matches Biggest Privacy Payout

Florida’s Memorial Healthcare Systems has agreed to pay $5.5 million to the federal government to settle allegations that it didn’t properly protect patient data in a record-tying Health Insurance Portability and Accountability Act deal, the feds announced Thursday. Click to read entire article.

Children’s Medical Center Pays Federal Fine Over Data Breach

Children’s Health has paid an almost $3.2 million federal penalty after a multiyear investigation into patient data privacy breaches. Click to read entire article.

Premera Blue Cross Can’t Escape Data Breach Suit

An Oregon federal judge has found Premera Blue Cross can’t escape revised consumer and employee allegations of fraud in multidistrict litigation stemming from a 2015 data breach affecting 11 million people. Click to read entire article.

UNC School of Dentistry warns of potential patient data breach

About 200 patients of the UNC School of Dentistry have been notified that their personal information might be in the hands of a thief, according to school officials. Click to read entire article.

Lexington Medical Center latest victim of data breach

In a statement released by the hospital, the breach was discovered Friday morning. The breach showed that there has been unauthorized access to the employee information database, called eConnect/Peoplesoft. Medical center officials learned about the breach this week and told employees as quickly as possible. The database contains the names, social security numbers, and W-2 forms of current and former employees. The database does not contain patient information. Click to read entire article.

Michigan Cybersecurity Breach Could Impact 22K Patients

Flint, Michigan-based Singn and Arora Oncology Hematology is notifying 22,000 patients that some of their information may have been accessed in a cybersecurity breach. Click to read entire article.

RETAIL
Tennessee Court Awards $1.9 Million in Mapco Express Data Breach Class Action Suit

Last month, a Tennessee Federal court ordered Mapco Express, Inc. (“Mapco”) to pay approximately $1.9 million to settle class action claims arising from a 2013 data breach of its retail computer systems. The lawsuit was brought in 2014 by Winsouth Credit Union and First National Community bank and alleged that Mapco failed to adequately protect consumer financial information at its retail locations. Click to read entire article.

NY AG Settles With Acer For $115,000 Over Data Breach

On January 26, New York Attorney General Eric Schneiderman announced a settlement with Acer Service Corporation over an alleged data breach involving more than 35,000 credit card numbers, including the credit card information and other personal information of 2,250 New York residents. As part of the settlement, Acer agreed to pay $115,000 in penalties and to improve its data security practices. The penalty amounts to approximately $50.12 per New York resident potentially affected. Click to read entire article.

Arby’s Data Breach Exposes 350,000 Records

A point-of-sale malware attack on corporate-owned Arby’s restaurants added an estimated 350,000 compromised records to the total number of records exposed so far in 2017. Arby’s owns about 1,000 of its more than 3,300 U.S. stores. Not all the company-owned stores and none of the franchised stores were affected, according to the company. Click to read entire article.

Sportswear retailer investigates data breach

Columbia Sportswear’s prAna brand has become the industry’s latest cyber-breach victim. When the lifestyle brand’s e-commerce site was targeted last week, the incident lead Columbia to “immediately launch an investigation and engage a leading third-party cyber security firm to assist us,” Columbia’s CEO Timothy Boyle said. Click to read entire article.

Data Breach at PIP Printing Company Leaks Thousands of Highly Sensitive Documents

An online security breach at a national printing chain leaked thousands of sensitive documents — from labor filings involving NFL players to lawsuits against Hollywood studios to personal immigration-related papers — raising the possibility that private information could end up in the wrong hands. Click to read entire article.

ONLINE GAMING
2.5 million Xbox and PlayStation gamers’ details hacked

A data breach of two popular gaming forums has exposed the account details of 2.5 million users, potentially opening up their other online accounts to attack by hackers. Click to read entire article.

HOSPITALITY
InterContinental confirms payment card breach at 12 U.S. hotels

InterContinental Hotels Group Plc on Friday confirmed a data breach from payment cards used at 12 of its hotels in the United States, a little over a month after it said it was investigating claims of a possible breach. A malware in the servers searched for track data – the cardholder’s name, card number, expiration date and the verification code – on the cards used at the hotels between August and December last year, the company said in a press statement. Click to read entire article.

PUBLIC ENTITY
TxDOT computer system hacked

The Texas Department of Transportation says some personal information of employees was compromised last week due to a “security incident.” Click to read entire article.

Manatee school system faces data breach affecting thousands

Authorities say as many as 7,700 Manatee County school employees are at risk of being victims of a data breach. Click to read entire article.

FBI investigating Mercer County Schools data breach

Mercer County Schools employees will received identity theft protection for a year after a security breach targeting their W-2 forms information was reported to the FBI and the West Virginia Attorney General’s Office. Click to read entire article.

NON PROFIT
Data breach hits San Antonio Symphony employees

Computer hackers broke into the computer network for the San Antonio Symphony this week, stealing the names, birth dates, Social Security numbers, addresses and W-2 tax forms for about 250 employees, the organization confirmed Tuesday. Click to read entire article.

TECHNOLOGY
ClassAction.com Attorney John Yanchunis Named Lead Counsel In Yahoo Data Breach Case

In an order filed Thursday, February 9, 2017 in the Northern District of California, U.S. District Judge Lucy H. Koh appointed John A. Yanchunis of Morgan & Morgan and ClassAction.com to serve as Lead Plaintiffs’ Counsel and Chair of the Plaintiffs’ Executive Committee. Click to read entire article.

Yahoo Hit With Small-Business Class Action Over Data Breach

A small-business owner who used Yahoo Inc. services to run his websites and advertise online launched a proposed class action against the internet giant on Wednesday for breaching its contract and negligently allowing hackers to make off with a billion users’ data in two breaches disclosed last year. Click to read entire article.

MANUFACTURING
Keller Grover LLP Investigating Sunrun Inc. for Privacy Violations

Keller Grover LLP is investigating recent reports that Sunrun Inc. may have suffered a data breach involving its employees’ highly confidential personal information, including name, address, Social Security number and 2016 compensation. Click to read entire article.

AUTOMOTIVE
THE LATEST: Green Bay-area Honda dealership caught up in national data breach

Van’s Honda in Ashwaubenon says its customers are receiving letters to say their personal information might have leaked online through a third-party company. The issue came to light last November for more than 100 auto dealers across the country using DealerBuilt, a software company based in Iowa which provides data backup for dealerships. Click to read entire article.

CYBER RISK STUDIES
One in Four US Consumers Have Had Their Healthcare Data Breached, Accenture Survey Reveals

One in four U.S. consumers (26 percent) have had their personal medical information stolen from technology systems, according to results of a survey from Accenture (ACN) released today at HIMSS2017 in Orlando. Click to read entire article.

Only 1 In 5 Banks Say They Could Detect A Cybersecurity Breach

Capgemini released a new report which stated that only one in five (19%) UK financial service organisations are highly confident they can detect a data breach (21% globally). Click to read entire article.

Cost of a data breach soars to 20% of revenue as hacking goes ‘classic’ and corporate

Polling 3,000 chief security officers worldwide, Cisco’s 10th annual cybersecurity report found that 50% of breached companies faced public scrutiny after a breach. Operations and finance systems were the most affected, though the cost of a data breach was not isolated to financial loss. 22% of breached organisations in 2016 lost customers, with 40% of companies seeing 20% of their customer base abandon them in the wake of a security incident. 23% of breached organisations lost business opportunities, with 42% losing more than 20%. Click to read entire article.

CANADA
B.C. suggests breach victims get protection, won’t commit to covering cost

…roughly 7,500 people whose personal information, including names, birth dates, health numbers and genders, has been accessed using the province’s PharmaNet system. Click to read entire article.

EUROPE/UK
Danish telecoms group 3 gets ‘blackmail’ threat over data breach

Danish telecoms company 3 said on Monday one or more hackers had stolen data from around 3,600 of its customers and attempted to get the company, owned by CK Hutchison Holdings Ltd and Investor AB, to pay “millions” to not publish it. Click to read entire article.

HSE had over 100 data protection breaches involving sensitive personal information in 2015

Internal documents have revealed some of the 113 instances that were recorded, including an X-ray report being discovered by staff in an Irish Penneys store. Click to read entire article.

Sports Direct hacked last year, and still hasn’t told its staff of data breach

Sports Direct has left its 30,000-strong workforce in the dark over a data breach in the autumn when a hacker accessed internal systems containing staffers’ personal information. Click to read entire article.

ASIA/PACIFIC
Australia passes data breach legislation

The Australian law will come into effect some time in the next 12 months, requiring breaches that cause “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm” to be reported to Australia’s Privacy Commissioner within 30 days of the breach. Click to read entire article.

Data breach: Hitachi admits malware attack hit systems

In the investigation of the breach of 32 lakh debit cards last year, Hitachi Payment Services today said it suffered a breach due to a sophisticated malware attack. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Assessment & Data Breach Services