We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.
This event is almost sold out. If you are interested in attending but have not yet registered, please act today. Learn more or register!
Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations. While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.
The five Fresenius breaches involved:
Breach 1: two stolen desktop computers containing the ePHI of 200 patients.
Breach 2: a stolen unencrypted USB drive containing the ePHI of 245 patients.
Breach 3: a missing hard drive containing the ePHI of 35 patients.
Breach 4: an unencrypted laptop stolen from a car containing the ePHI of 10 patients.
Breach 5: a stolen desktop computer containing the ePHI of 31 patients.
Click to read entire article.
Aetna has reached a settlement worth $17.1 million in the lawsuit brought about by the inadvertent sharing of the HIV status of around 12,000 Aetna members. The privacy breach occurred in July 2017, when letters outlining that beneficiaries could now pick up their medications in person were sent in envelopes with large address windows which made private health information visible. Click to read entire article.
A group practice in Florida has filed the first lawsuit against Allscripts related to the ransomware attack that brought the company’s cloud-based services offline for more than a week. The suit does not specify a specific amount of damages, asking the court to award an “equitable amount” for restoration of services and compensation for lost revenue, among other damages. The class represented in the suit is large, covering 45,000 physician practices and 180,000 physicians. Click to read entire article.
Related: New ransomware attack forces hospitals to turn away patient
Partners HealthCare, the state’s largest private employer, revealed on Monday that its computer network was breached in May 2017, potentially exposing the private information of up to 2,600 patients. Click to read entire article.
Auto giant Nissan confirmed that its Canadian branch has been hit by hackers. Although the details of the breach are still murky, Nissan says that the hack may have impacted all of its current and past customers – around 1.13 million people. Click to read entire article.
Hancock Health fell victim to a cyber attack Thursday, with a hacker demanding Bitcoin to relinquish control of part of the hospital’s computer system. Click to read entire article.
A laptop of a Coplin Health Systems employee was stolen from a car in November and serves as a reminder to healthcare organizations to encrypt all data that physically leave the building. Click to read entire article.
The State Department of Health announced Tuesday officials have detected a potential breach of data on their network system. Click to read entire article.
The City of Keokuk said a data breach on Jan. 30 resulted in the release of personal information of current and former city employees and elected leaders. The city said it is working with law enforcement to determine who is behind the breach. The city said in a statement that an unauthorized party was able to obtain 2017 W-2 tax forms through the use of a “criminal phishing email.” Click to read entire article.
According to housing authority officials, the breach came in the form of an email requesting employee W-2 information. The email appeared to be from the CEO. The requested information was sent before Jan. 19, when it was discovered that the request was made from a fraudulent account. Click to read entire article.
The Texas-based restaurant chain said cyber thieves used RAM-scraping malware to infiltrate payment processing systems at 164 locations in Alabama, Arizona, Florida, Georgia, Illinois, Louisiana, Maryland, North Carolina, Nevada, Pennsylvania, South Carolina, Tennessee, Texas, Virginia and Wisconsin. Click to read entire article.
The breach, which was tied last month to the influencer marketing firm Octoly, exposed not only the stars’ true identities, but their street addresses, apartment numbers, phone numbers, email addresses, and more. The users are predominantly young women, the researchers said. Click to read entire article.
The European Union’s General Data Protection Regulation (GDPR) goes into effect this May, and lawmakers in the U.S. are proposing stricter data breach legislation. With the pressure on to better protect data and improve notification procedures in the event of a data breach, Tripwire surveyed 406 cybersecurity professionals to see how prepared organizations are feeling. Findings from the study revealed that just over three quarters (77 percent) of companies subject to GDPR could meet the 72-hour notification window, with the 24 percent claiming they could notify customers of a data breach within 24 hours. Click to read entire article.
Note: NetDiligence is currently developing a GDPR-version of Breach Plan Connect®, our SaaS-based platform that includes a customizable, plug-and-play data breach response plan. Contact us for more information!
On Friday, Crunchbase News reported that Coincheck, the second largest cryptocurrency exchange in Japan, had experienced the largest theft of crypto—in terms of dollar value at current market prices—to date. Click to read entire article.
The Chinese smartphone manufacturer OnePlus is again accused of collecting user data from its Clipboard app. Click to read entire article.
A data breach at the University of Windsor’s law school exposing hundreds of JD applicants’ names, e-mail addresses, birthdates, LSAT scores and other sensitive information is “at the low end” of privacy breaches, but could still have serious repercussions for the applicants whose privacy was violated, suggests a leading class action lawyer. Click to read entire article.
Researchers have uncovered two massive security flaws in the dating app that will show your activity to hackers who are using the same Wifi network. Click to read entire article.
The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information. Bell Canada spokesman Nathan Gibson told The Canadian Press that “fewer than 100,000 customers were affected.” Click to read entire article.
Infosec experts are wondering why someone in North Korea planted malware on a computer system run by Metrolinx, the provincially run Toronto suburban transit authority. Click to read entire article.
CARPHONE Warehouse has been fined £400,000 after a security failure allowed unauthorised access to the personal data of millions of customers. Click to read entire article.
The Home Office has paid out £15,500 in compensation after admitting handing over sensitive information about an asylum seeker to the government of his Middle East home country, a move which could have endangered his life and that of his family. Click to read entire article.
The attack took place on January 8 and came to light this week when Health South-East RHF, a healthcare organization that manages hospitals in Norway’s southeast region, announced a security breach on its website. Click to read entire article.
Cyber Risk Readiness & Response