We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: UF Health admits patient data may have been compromised in ransomware attack, Florida Unemployment Benefit Site Breached, Hackers Posed as Aerobics Instructors, and more.

Ransomware Corner

No Ransom Paid, but Illinois AG Office Is Spending More Than $2.5 Million on Hacker Attack

Illinois Attorney General Kwame Raoul said he has spent more than $2.5 million in crisis management after a massive ransomware hack crippled the agency in April and potentially exposed gigabytes of personal and confidential records on the dark web. Click to read entire article.

UF Health admits patient data may have been compromised in ransomware attack

Two months after a ransomware attack was launched on its computer systems, UF Health-The Villages Hospital is admitting that patient data may have been compromised. The attack was discovered over the Memorial Day weekend at the hospital in The Villages and its sister medical center in Leesburg. Although UF Health initially shrugged it off as a “glitch,” the truth poured out through accounts of patients and staff who described the nightmare which accompanied the ransomware attack. One staffer described it as being back in the “stone age.” Click to read entire article.

HEALTHCARE

Accellion data breach toll climbs to 11 with Cayuga Health

Here are the organizations that have reported Accellion-related data breaches, ranked by the number of individuals affected:

• Kroger Pharmacy: 1,474,284
• Health Net: 1,236,902
• Trinity Health (Livonia, Mich.): 586,869
• Trillium Health Plan: 50,000
• Arizona Complete Health: 27,390
• Arkansas Health & Wellness: 3,627
• Stanford Medicine (Palo Alto, Calif.): 2,200
• Cayuga Medical Center at Cayuga Health (Ithaca, N.Y.): Unknown
• Community Memorial Health System (Ventura, Calif.): Unknown
• The University of Miami Health (Coral Gables, Fla.): Unknown
• Centene Corp. (Parent company to other insurers): Unknown

Click to read entire article.

UPMC Finally Settles Data Breach Lawsuit for $2.7 Million

UPMC’s employment records were hacked by criminals in 2014. A civil class action lawsuit was filed on behalf of approximately 66,000 employees, and criminal cases were filed by federal prosecutors against a number of individuals and 4 have already pled guilty in connection with the hacking of the UPMC human resources data and using some of the information to commit federal income tax fraud. Click to read entire article.

MEDIA

Sanford Herald ownership group reports data breach

Current and former employees of Paxton Media Group, the Kentucky-based media conglomerate which owns The Sanford Herald, received a letter over the weekend reporting that their names, addresses and other personal information had been revealed in a data breach. Click to read entire article.

PUBLIC ENTITY

Florida Unemployment Benefit Site Breached

The Florida Department of Economic Opportunity (DEO) recently announced that it discovered on July 16, 2021 that its online unemployment benefit system, CONNECT was compromised, potentially affecting personal information of 57,000 accounts. Click to read entire article.

AEROSPACE

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

“Using the social media persona ‘Marcella Flores,’ TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor,” Proofpoint said in a report shared with The Hacker News. Click to read entire article.

RETAIL

Judge preliminarily approves Wawa data breach settlement that would pay customers in gift cards

A federal judge has given preliminary approval to a settlement that would require Wawa to pay customers up to $9 million in gift cards and cash after a massive data breach exposed customers’ payment card numbers. The vast majority of funds that Wawa would pay consumers — up to $8 million – would be in $5 or $15 Wawa gift cards. Click to read entire article.

CYBER RESEARCH/SURVEYS

Data Breach Cost Hits Record High of $4.24M

Data breach costs have reached a new record high of $4.24 million per incident, representing a 10% increase from the year prior — the largest single year cost increase in the last seven years. Click to read entire article.

PRIVACY LIABILITY

Zoom Pays $85 Million to Settle User Privacy Lawsuit in US Over ‘Zoombombing’

Zoom agreed to pay $85 million and bolster its security practices to settle a lawsuit claiming it violated users’ privacy rights by sharing personal data with Facebook, Google, and LinkedIn, and letting hackers disrupt Zoom meetings in a practice called Zoombombing. Click to read entire article.

The Plaid Data Privacy Class Action Lawsuit Reaches a $58 Million Settlement

Consumers nationwide increasingly rely on modern fintech apps to do business, transfer and invest funds, and otherwise manage their finances electronically. The plaintiffs in In re Plaid Inc. Privacy Litig. alleged that Plaid has “exploited its position as middleman” to obtain app users’ banking login credentials and then use that information to access and sell transaction histories, in the absence of app users’ consent. Click to read entire article.

CYBER LEGAL ISSUES (DISCOVERABILITY)

Another Court Orders Production of Cybersecurity Firm’s Forensic Report in a Data Breach Case

Another district court just ordered the defendant in a data breach class action to turn over the forensic report it believed was entirely protected from disclosure by the attorney-client privilege and work product doctrine. Click to read entire article.

BREACH LAWSUITS DISMISSALS

Walmart secures dismissal of California data breach lawsuit

A California federal judge has tossed a proposed privacy class action against Walmart Inc over an alleged data breach, finding the customer who sued the retailer still has not adequately pleaded his claims. Click to read entire article.

Zynga wins bids to compel arbitration, toss data breach case

A California federal judge on Friday dealt a blow to plaintiffs suing mobile game developer Zynga Inc over a 2019 data breach, greenlighting a bid to compel arbitration of some users’ claims and granting a motion to dismiss the rest. Click to read entire article.

EU/UK (GDPR)

Amazon Gets Record $888 Million EU Fine Over Data Violations

Amazon.com Inc. faces the biggest ever European Union privacy fine after its lead privacy watchdog hit it with a 746 million-euro ($888 million) penalty for violating the bloc’s tough data protection rules. Click to read entire article.

NHS Highland apologises after data security breach

Letters inviting patients at NHS Highland for their second dose of Covid vaccine were produced by NHS Highland Public Health carrying information relating to other patients. Click to read entire article.

Chipotle’s marketing email hacked to send phishing emails

Hackers have abused an email account linked to the Chipotle restaurant chain to send phishing emails to unsuspecting victims. According to cyber security company Inky, between July 13 and 16 this year, researchers detected 121 phishing emails in a similar attack that originated from a compromised Mailgun email marketing account used by the chain. Click to read entire article

https://www.itpro.co.uk/security/phishing/360438/chipotles-marketing-email-hacked-to-send-phishing-emails

Italian vaccination registration system down in apparent ransomware attack

Hackers have attacked the vaccination registration system in one of Italy’s largest regions, temporarily blocking residents from booking new vaccination appointments, officials said. Click to read entire article.

AFRICA

Cyber hit a red flag to SA firms, ‘Learn lesson from Transnet breach’

WHILE the full impact of last week’s cyberattack on Transnet remained unknown yesterday, experts have warned that the consequences of the growing new crime trend could be severe. Click to read entire article.

ASIA PACIFIC

How foreign hackers weaponized India’s cybersecurity shield

Between 7-14 July, hackers took down the two-factor authentication system the Indian government uses to secure its email network three separate times. The inboxes of countless government officials, including the secretary of MeitY, were compromised. Two weeks on, who carried out the attack and how they did it remains a mystery. Click to read entire article.