We bring to your attention a sampling of recent media stories involving cyber risk and privacy liability. These exposures include business interruption, legal liability (such as class action lawsuits), as well as crisis costs to investigate the breach, notify the victims and defend/settle lawsuits, including AG regulatory enforcement actions and fines. Also, don’t miss the items below in ORANGE.


NEW NETDILIGENCE WEBINAR SERIES!
ANNOUNCING LUNCH & LEARN WEBINARS

NetDiligence is pleased to announce that it hosting a series of Lunch & Learn webinars this fall to discuss emerging technologies and their impact on cyber liability insurers. Bring your lunch and join us for 45 minutes of real-world information about how technology is changing the nature of cyber risk and the implications for insurers underwriting that risk. Conceptually visionary and pragmatically useful, these sessions should not be missed! Learn more.


NETDILIGENCE CONFERENCE – SUNNY SANTA MONICA
Insurance Industry Giant Patrick G. Ryan Delivers Keynote at Cyber Risk & Privacy Forum

Insurance industry leader, Patrick G. Ryan, will deliver the keynote address at the NetDiligence® Cyber Risk & Privacy Liability Forum, a leading gathering on insurance risk, which will be held Oct. 10-12, 2017, in Santa Monica, Calif., HB Litigation Conferences, the program organizer, has announced. Click to read entire article.

CYBER BREACH – LEGAL OPINIONS
—SIGNIFICANT OPINION—
In Data Breach Lawsuit, Mere Risk of Identity Theft is Enough to Stand On

In its recent Attias v. CareFirst, Inc. opinion, the D.C. Circuit held that the plaintiffs had standing to bring a lawsuit by alleging they suffered a mere risk of future identity fraud resulting from a breach—rather than requiring that they suffered actual identity fraud—joining similar decisions by the Third, Sixth, Seventh, and Eleventh Circuits. Click to read entire article.

HEALTHCARE
Data breach at Philly-area Ob/Gyn practice among this year’s largest nationally

The personal data breach affecting 300,000 patients disclosed last month by Women’s Health Care Group of PA LLC was the third-largest reported this year to the U.S. Department of Health and Human Services, according to the agency’s website. Click to read entire article.

Insurer’s mailing to customers made HIV status visible through envelope window

Thousands of people with HIV received mailed letters from Aetna last month that may have disclosed their HIV status on the envelope. Click to read entire article.

Ransomware Attack May Affect 10K Plastic Surgery Patients

On February 12, 2017, Plastic Surgery Associates of South Dakota discovered its health IT systems had experienced a ransomware attack. The healthcare organization immediately attempted to remove the ransomware from the infected servers and decrypt stored health data, it said in an online statement. Click to read entire article.

The healthcare data breach that took 14 years to uncover

The breach affected 1,100 patient records from 2003 through May 2017 and included names, addresses, phone numbers, dates of birth, gender, diagnoses or other information about medical treatment at Tewksbury Hospital. For some individuals, it may also have included a social security number. Click to read entire article.

Breach at UC Health hospital may affect data of 4,721 patients

The UC health privacy office learned of the breach in June. Now, Daniel Drake Center is notifying 4,721 patients about potential exposure of their information, and it’s offering a year of credit monitoring and identity theft protection services from Experian. Click to read entire article.

MEDIA
Reader’s Digest agrees to pay $8.2 million in privacy lawsuit

The publisher of Reader’s Digest has settled a class action suit for $8.2 million after it allegedly breached privacy laws. Click to read entire article.

HBO Offered Hacker $250,000 Bounty Payment in Response to Data Breach

Variety reports that an anonymous hacker sent a copy of a message sent by HBO that apparently offered a “bounty payment” of $250,000 to the hacker involved in a recent massive data breach for the network. Click to read entire article.

AIRLINES
Virgin America data breach hits employees and contractors

An unauthorized third party managed to gained access to certain Virgin America information systems containing employee and contractor data. How many victims? Approximately 3,230 employees and contractors were affected by the breach.
Click to read entire article.

TECHNOLOGY
PlayStation suffers social media hack, possible data breach

Screenshots of the tweets, posted on the morning of Monday 21 August, suggest that PlayStation Network databases were leaked, but this has neither been confirmed or denied by Sony. Click to read entire article.

FINANCIAL SERVICES
—PARTNER CAUSED—
Data Breach at Italy’s No. 1 Bank Exposes 400,000 Accounts

Italy’s top bank, UniCredit SpA, is yet another victim in a series of cyberattacks exploiting vulnerabilities in the financial services industry. Criminals made off with biographical and loan data from 400,000 UniCredit loan accounts after gaining access to the bank’s computer system through one of UniCredit’s third-party commercial partners. Click to read entire article.

PUBLIC ENTITY
—MEGA BREACH!—
Millions of social security numbers accessed in Kansas agency data breach

A total of almost 6.5 million records were hacked, and of those, 5.5 million from 10 states included social security numbers (SSNs), one of the most sensitive data types to which a hacker can gain access. According to the records obtained by the Kansas News Service, about half a million of the hacked accounts with SSNs were held by individuals located in Kansas. The following states were affected:

  • Arkansas: 597,734 SSNs
  • Arizona: 896,370 SSNs
  • Delaware: 236,134 SSNs
  • Idaho: 170,517 SSNs
  • Kansas: 563,568 SSNs
  • Maine: 283,449 SSNs
  • Oklahoma: 430,679 SSNs
  • Vermont: 183,153 SSNs
  • Alabama: 1,393,109 SSNs
  • Illinois: 807,450 SSNs

Click to read entire article.

Phishing Attack May Impact PHI of 3.4K at CA Treatment Center

City of Hope in California recently suffered a data breach in which four staff member email accounts were accessed by an unauthorized party through an email phishing attack. Click to read entire article.

Oceanside Investigates Possible Data Breach Of Its Online Bill Payment System

A potential data breach of the city of Oceanside’s online utility bill payment system was being investigated Tuesday, and the system has been taken down. So far, it appears the affected customers made one-time payments of their water bills between July 1 and Aug. 13. …The system also allows for sewer and trash bills. Click to read entire article.

Thousands of students’ personal info mistakenly e-mailed in S. Washington Co. data breach

Personal information about thousands of students and their families was sent out in a mass back-to-school e-mail by the South Washington County School District in what school officials are calling “an inadvertent employee error.” Click to read entire article.

ROGUE INSIDER THREAT
Revenge Hacking: Former Employee Charged $1.1 Million For Hacking Company

A hacker aiming to get revenge by targeting the computer systems of his former employer has been sentenced to 34 months in jail and will have to pay a fine of more than $1 million for damages, Bleeping Computer reported. Click to read entire article.

PHISHING & FRAUD
—VERY INTERESTING CAPER!—
Law Firm Duped By Email Scammers In Wage And Hour Case

The legal industry’s susceptibility to cyberattacks was on display Tuesday in a Los Angeles courtroom, where a Superior Court judge warned attorneys about a recent incident in which email phishing scammers duped a law firm into handing over $500,000 meant for plaintiffs in a wage and hour class action. Click to read entire article.

REGULATORY UPDATES
DE Data Breach Notification Law Includes Medical Information

Delaware updated its data breach notification law, accounting for medical data in what is considered personal information. Click to read entire article.

EUROPE / UK
TalkTalk scam victims move closer to class-action lawsuit

The ICO report referred to 21,000 TalkTalk customers who’d had their data breached. Fraudsters started to ring TalkTalk customers at home, quoting their account numbers, and were able to convince them that they were calling from the broadband firm. Click to read entire article.

Islington Council faces huge fine after massive data breach hit 90,000 people

A London council has been fined €70,000 after it accidentally published a cache of personal data including medical details, cheques, and even one person’s prison record. Click to read entire article.

Biggest Data Leak in Sweden’s History Punished With Half a Month’s Paycheck

The Swedish government has exposed sensitive details on millions of citizens in one of the biggest government screw-ups ever, and the official responsible for the whole fiasco was fined only half of her monthly salary, which is 70,000 Swedish krona – or around $8,500. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response