We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. This month we’re highlighting massive regulatory fines (NERC, HIPAA, COPPA, GDPR), legal settlements, hackers, blockchain vulnerability, and more! Don’t miss the items below in ORANGE.

North Carolina-based Duke Energy has been fined a record $10 million by NERC (North American Electric Reliability Corporation) for 127 violations of rules designed to keep the U.S. power system safe from physical and cyber attacks. Click to read entire article.

18 Million Payment Cards From 7,500 Financial Firms Compromised in Data Breach
Where’s the breach? In 2015 and 2016, it was at Wendy’s, when attackers infected 1,025 of its restaurants’ point-of-sale systems with malware, leading to the loss of massive quantities of payment card data. Click to read entire article.

Community Health System, one of the largest health systems in the United States, has agreed to pay $4,500,000 to settle claims made against it arising from a 2014 data breach. The data breach exposed the names, dates of birth, addresses, telephone numbers, and Social Security numbers of approximately 4.5 million patients. Click to read entire article.

Patients of a Bon Secours St. Francis Health System medical practice are being notified that their personal information may be at risk after a data breach at the practice. Officials determined that patient information may have included names, dates of birth, Social Security numbers, addresses, health insurance company, and other information related to care provided at Milestone Family Medicine. Click to read entire article.

UConn Health stated last Friday that it discovered the incident on Dec. 24, 2018, and that it is not aware of any fraudulent activities as a result of the breach or even whether any personal information was viewed. According to WFSB, about 326,000 records may have been exposed, including 1,500 that included Social Security numbers. Click to read entire article.

University will allow compensation for those with stolen data
In May 2017, the backup hard drive with data generated by WSU’s Social and Economic Sciences Research Center was stolen, he said. The hard drive contained sensitive information of about 1.2 million people at WSU. Click to read entire article.

Happy Valentine’s Day! Or not so much, for users of the popular dating app Coffee Meets Bagel. A data breach may have affected over 6 million app users looking for love. The company sent an email to users Thursday to address the issue. Click to read entire article.

A data breach at a company that handles the billing for municipal water service has Pompano Beach city officials working to minimize the potential damage. Click to read entire article.

The Kentucky Counseling Center, a statewide mental health services organization, notified the federal Department of Health and Human Services earlier this month of a data breach that exposed information of 16,400 patients. Click to read entire article.

The FTC said the $5.7 million penalty was the largest ever settlement for a children’s privacy issue. TikTok, formerly known as Musical.ly, was accused of knowingly tracking data from underage users without obtaining parental consent, as required by law. Click to read entire article.

On Monday, 11th February, Wisconsin-based email provider, VFEmail, was attacked by an intruder who trashed all of the company’s primary and backup data in the United States. … John Senchak, a longtime VFEmail user from Florida, told Krebs on Security, that the attack completely deleted his entire inbox at the company–some 60,000 emails sent and received over more than a decade were lost. Click to read entire article.

Research by the Massachusetts Institute of Technology Review found that hackers have stolen nearly $2 billion worth of cryptocurrency since the beginning of 2017, mostly from exchanges, and that’s just what has been revealed publicly. “Marketing slogans and headlines that called the technology ‘unhackable’ were dead wrong.” The MIT study cited incidents last month where a security team at Coinbase spotted something strange going on in Ethereum Classic (one of the cryptocurrencies people can buy and sell using Coinbases’s popular exchange platform). Security noticed that an attacker had somehow gained control of more than half—why the method is called a “51 percent attack”—of the network’s computing power through blockchain, the history of all the transactions, and was using it to rewrite the transaction history. That made it possible to spend the same cryptocurrency more than once—known as “double spends,” the report explained. Click to read entire article.

A hacker who stole close to 620 million user records from 16 websites earlier this week has struck again, this time breaking into 127 million more records from eight more websites. Click to read entire article.

The CCPA allows consumers to sue businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Click to read entire article.

Today, the Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices. Click to read entire article.

The hacking group Team OrangeWorm publicly dumped two troves of data, one allegedly with the encrypted medical data of 80,000 patients, to DataBreaches.net. Click to read entire article.

Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids and water suppliers, the BSI cybersecurity agency said on Sunday, adding however that they were not all due to hacking. Click to read entire article.

A major Melbourne hospital and car manufacturer Toyota have had their systems infiltrated by hackers. A cyber crime syndicate accessed the medical files of 15,000 patients at Melbourne Heart Group at Melbourne’s Cabrini Hospital. … Meanwhile, Toyota Australia has confirmed it has been subject to an attempted cyber attack. Click to read entire article.

Data from the Office of the Australian Information Commissioner (OAIC) reveals that last year it received 812 notifications as part of the mandatory breach reporting regime. Click to read entire article.

Australia’s banks have started notifying customers that may have been caught up in an “industry-wide” data breach at an ASX-listed property valuation firm. Click to read entire article.