We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Exposures include business interruption (first-party exposure) and legal liability (lawsuits), also crisis costs to investigate the breach, notify the victims, and defend against class action lawsuits, regulatory actions and fines. Also, don’t miss the items below in ORANGE.


CYBER RISK SUMMIT – TORONTO, FEBRUARY 23, 2018!
We look forward to seeing you there!

This event is almost sold out. If you are interested in attending but have not yet registered, please act today. Learn more or register!


HEALTHCARE
—LARGE HIPAA SETTLEMENT FOR SMALL BREACHES—
February 2, 2018 – Health Care Group News: $3.5 M OCR Settlement for Five Breaches Affecting Fewer Than 500 Patients Each

Yesterday, OCR announced its $3.5 million settlement with Fresenius Medical Care Holdings (“Fresenius”) to resolve alleged HIPAA violations. While the large settlement figure alone is eye-catching, the underlying facts require the complete attention of HIPAA covered entities.
The five Fresenius breaches involved:
Breach 1: two stolen desktop computers containing the ePHI of 200 patients.
Breach 2: a stolen unencrypted USB drive containing the ePHI of 245 patients.
Breach 3: a missing hard drive containing the ePHI of 35 patients.
Breach 4: an unencrypted laptop stolen from a car containing the ePHI of 10 patients.
Breach 5: a stolen desktop computer containing the ePHI of 31 patients.
Click to read entire article.

—MAILER MISHAP—
HIV Privacy Breach Lawsuit Reaches Settlement

Aetna has reached a settlement worth $17.1 million in the lawsuit brought about by the inadvertent sharing of the HIV status of around 12,000 Aetna members. The privacy breach occurred in July 2017, when letters outlining that beneficiaries could now pick up their medications in person were sent in envelopes with large address windows which made private health information visible. Click to read entire article.

Allscripts hit by class-action lawsuit for ransomware impacts

A group practice in Florida has filed the first lawsuit against Allscripts related to the ransomware attack that brought the company’s cloud-based services offline for more than a week. The suit does not specify a specific amount of damages, asking the court to award an “equitable amount” for restoration of services and compensation for lost revenue, among other damages. The class represented in the suit is large, covering 45,000 physician practices and 180,000 physicians. Click to read entire article.
Related: New ransomware attack forces hospitals to turn away patient

Partners Healthcare says data breach exposed patient information

Partners HealthCare, the state’s largest private employer, revealed on Monday that its computer network was breached in May 2017, potentially exposing the private information of up to 2,600 patients. Click to read entire article.

—PAPER RECORDS MISHAP—
Western Washington Medical Group Notifies Patients Of Potential Data Breach

Auto giant Nissan confirmed that its Canadian branch has been hit by hackers. Although the details of the breach are still murky, Nissan says that the hack may have impacted all of its current and past customers – around 1.13 million people. Click to read entire article.

Hospital hit by ransomware: Attackers demand Bitcoin to release control of system

Hancock Health fell victim to a cyber attack Thursday, with a hacker demanding Bitcoin to relinquish control of part of the hospital’s computer system. Click to read entire article.

Data of 43,000 patients breached after theft of unencrypted laptop

A laptop of a Coplin Health Systems employee was stolen from a car in November and serves as a reminder to healthcare organizations to encrypt all data that physically leave the building. Click to read entire article.

PUBLIC ENTITY
DOH detects potential breach of disease reporting data system

The State Department of Health announced Tuesday officials have detected a potential breach of data on their network system. Click to read entire article.

—PHISHED—
Keokuk Data Breach Results in Stolen City Employee Information

The City of Keokuk said a data breach on Jan. 30 resulted in the release of personal information of current and former city employees and elected leaders. The city said it is working with law enforcement to determine who is behind the breach. The city said in a statement that an unauthorized party was able to obtain 2017 W-2 tax forms through the use of a “criminal phishing email.” Click to read entire article.

—PHISHED—
Charlotte Housing Authority confirms data breach of employee information

According to housing authority officials, the breach came in the form of an email requesting employee W-2 information. The email appeared to be from the CEO. The requested information was sent before Jan. 19, when it was discovered that the request was made from a fraudulent account. Click to read entire article.

RETAIL
Jason’s Deli data breach impacts up to 2 million customers

The Texas-based restaurant chain said cyber thieves used RAM-scraping malware to infiltrate payment processing systems at 164 locations in Alabama, Arizona, Florida, Georgia, Illinois, Louisiana, Maryland, North Carolina, Nevada, Pennsylvania, South Carolina, Tennessee, Texas, Virginia and Wisconsin. Click to read entire article.

SOCIAL MEDIA
12,000 Social Media Influencers, Mostly Women, Exposed by Marketing Firm Data Breach

The breach, which was tied last month to the influencer marketing firm Octoly, exposed not only the stars’ true identities, but their street addresses, apartment numbers, phone numbers, email addresses, and more. The users are predominantly young women, the researchers said. Click to read entire article.

GDPR Readiness
Survey: How Well Will Organizations Respond To The Next Data Breach?

The European Union’s General Data Protection Regulation (GDPR) goes into effect this May, and lawmakers in the U.S. are proposing stricter data breach legislation. With the pressure on to better protect data and improve notification procedures in the event of a data breach, Tripwire surveyed 406 cybersecurity professionals to see how prepared organizations are feeling. Findings from the study revealed that just over three quarters (77 percent) of companies subject to GDPR could meet the 72-hour notification window, with the 24 percent claiming they could notify customers of a data breach within 24 hours. Click to read entire article.

Note: NetDiligence is currently developing a GDPR-version of Breach Plan Connect®, our SaaS-based platform that includes a customizable, plug-and-play data breach response plan. Contact us for more information!

FINANCIAL SERVICES
Coincheck Plans To Reimburse Traders Affected By $500 Million Heist

On Friday, Crunchbase News reported that Coincheck, the second largest cryptocurrency exchange in Japan, had experienced the largest theft of crypto—in terms of dollar value at current market prices—to date. Click to read entire article.

PRIVACY ETHICS / WRONGFUL DATA COLLECTION
OnePlus accused again of collecting user data

The Chinese smartphone manufacturer OnePlus is again accused of collecting user data from its Clipboard app. Click to read entire article.

HIGHER EDUCATION
Windsor law school’s data breach at ‘low end’ but still a problem for those affected: privacy litigator

A data breach at the University of Windsor’s law school exposing hundreds of JD applicants’ names, e-mail addresses, birthdates, LSAT scores and other sensitive information is “at the low end” of privacy breaches, but could still have serious repercussions for the applicants whose privacy was violated, suggests a leading class action lawyer. Click to read entire article.

MOBILE APP
Your Tinder secrets could be EXPOSED: Massive security flaws in the app could let strangers hijack your photos, spy on your swipes and see pictures of all your matches

Researchers have uncovered two massive security flaws in the dating app that will show your activity to hackers who are using the same Wifi network. Click to read entire article.

CANADA
Bell Canada alerts customers who may be affected by data breach

The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information. Bell Canada spokesman Nathan Gibson told The Canadian Press that “fewer than 100,000 customers were affected.” Click to read entire article.

Ontario transit agency ‘extremely confident’ cyber attack came from North Korea

Infosec experts are wondering why someone in North Korea planted malware on a computer system run by Metrolinx, the provincially run Toronto suburban transit authority. Click to read entire article.

EUROPE / UK
Carphone Warehouse fined £400,000 for security breach

CARPHONE Warehouse has been fined £400,000 after a security failure allowed unauthorised access to the personal data of millions of customers. Click to read entire article.

Home Office pays out £15,500 to asylum seeker over data breach

The Home Office has paid out £15,500 in compensation after admitting handing over sensitive information about an asylum seeker to the government of his Middle East home country, a move which could have endangered his life and that of his family. Click to read entire article.

Hacker Might Have Stolen the Healthcare Data for Half of Norway’s Population

The attack took place on January 8 and came to light this week when Health South-East RHF, a healthcare organization that manages hospitals in Norway’s southeast region, announced a security breach on its website. Click to read entire article.

Regards,
Mark Greisiger
NetDiligence®
Cyber Risk Readiness & Response