We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: Indiana Amends Breach Notification Law to Require Notification Within 45 Days, TransUnion says at least three million people affected by data breach, Personal Data of 820,000 Students Exposed in NYC Hack, Horizon Actuarial Services data theft impacts MLB Players Benefit Plan members, HubSpot Data Breach Ripples Through Crytocurrency Industry, and more.

Ransomware Corner

Horizon Actuarial Services data theft impacts MLB Players Benefit Plan members

Threat actors exploited the networks of Horizon Actuarial Services in November, stealing the data belonging to the consulting services vendors and two client groups: Major League Baseball Players Benefit Plan and Local 295 IBT Employer Group Welfare Fund. Click to read entire article.

FBI: 649 Ransomware Attacks Reported on Critical Infrastructure Organizations in 2021

Ransomware attacks hit 14 out of 16 critical infrastructure sectors last year, with healthcare and public health impacted the most, the IC3 notes in its 2021 Internet Crime Report. Of the top three ransomware families targeting critical infrastructure, Conti mostly focused on critical manufacturing, commercial facilities, and food and agriculture; LockBit frequently hit government, healthcare, and financial organizations; while REvil/Sodinokibi targeted financial services, IT, and healthcare and public health sectors. Click to read entire article.

Healthcare

Almost 50M US Residents Lost Health Data in Breaches Last Year

Nearly 50 million people have lost their personal health data to a breach just in 2021, according to a new analysis of HHS stats from Politico. Another analysis found that the average data breach in 2021 has cost healthcare organizations about $9.23 million. Click to read entire article.

Scripps Health faces lawsuit in the aftermath of the Kronos data breach

San Diego-based Scripps Health employees filed a lawsuit against the health system after the Kronos data breach affected their pay. The lawsuit stems from the Kronos Private Cloud data breach that led to an outage of the health system’s payroll platform in December, where nurses claimed that Scripps failed to pay them their bonus money and overtime due to breach. Click to read entire article.

Data Breach Alert: DNA Diagnostics Center, Inc. Security Incident Puts Personal Data at Risk

On November 29, 2021, DNA Diagnostics Center, Inc. notified consumers that a data breach had occurred, potentially compromising their personal, identifying, and financial information. The private information belonging to approximately 2,102,436 individuals was affected by this data breach, according to the company’s notification. Click to read entire article.

Accutech Class Action Claims Company Failed To Prevent Data Breach

Accutech failed to prevent an August 2021 data breach that exposed the personal and financial information of around 40,000 individuals, a new class action lawsuit alleges. Accutech’s disclosure of the breach, meanwhile, came more than six months after “unauthorized individuals” were able to gain access to customers’ PII, including names, dates of birth and Social Security numbers, according to the class action lawsuit. Click to read entire article.

Kentucky, Tennessee Hospitals Begin Cybersecurity Incident Recovery

Taylor Regional Hospital and East Tennessee Children’s Hospital are both making steady progress in recovering from recent cybersecurity incidents. Click to read entire article.

Public Entity

Texas Department of Insurance Reports Data Breach

The Texas Department of Insurance (TDI) became aware of a security issue on January 4, 2022 with a TDI web application that manages workers’ compensation information. TDI immediately took the application offline, quickly fixed the issue, and started an investigation to determine the nature and scope of the event. Click to read entire article.

Education K-12

Personal Data of 820,000 Students Exposed in NYC Hack

Personal data for roughly 820,000 current and former New York City public school students was compromised in the hack of a widely used online grading and attendance system earlier this year, city Education Department officials said Friday, revealing what could be the largest-ever breach of K-12 student data in the United States. Click to read entire article.

Financial Services

Morgan Stanley Wealth Management accounts breached in ‘vishing’ attacks

Earlier this week, Morgan Stanley Wealth Management said cybercriminals broke into accounts using social engineering attacks, according to reports. Using voice-based phishing, or “vishing,” attackers impersonated the trusted financial firm during phone calls to customers, where they encouraged customers to reveal sensitive personal and financial information including banking or login credentials. Click to read entire article.

Marketing/Tech

HubSpot Data Breach Ripples Through Cryptocurrency Industry

A rogue employee working at HubSpot – used by more than 135,000 (and growing) customers to manage marketing campaigns and on-board new users – has been fired over a breach that zeroed in on the company’s cryptocurrency customers, the company confirmed on Friday. Click to read entire article.

Microsoft confirms it was breached by hacker group

Microsoft (MSFT) has confirmed it was breached by the hacker group Lapsus$, adding to the cyber gang’s growing list of victims.

In a blog post late Tuesday, Microsoft said Lapsus$ had compromised one of its accounts, resulting in “limited access” to company systems but not the data of any Microsoft customers. Click to read entire article.

Distributor

Data Breach Alert: Fessenden Hall, Inc.

Recently, Fessenden Hall, Inc. confirmed that an unauthorized party gained access to the company’s computer system, compromising the sensitive information of certain consumers. Upon learning of the extent of the security breach, Fessenden Hall then reviewed the affected files to determine what information was compromised. The company completed this review on January 6, 2022. Then, Fessenden Hall worked to identify and located the addresses of all affected parties. This review was completed on March 8, 2022. Click to read entire article.

Higher Ed

Data Breach Alert: North Orange County Community College District

Recently, North Orange County Community College District (“NOCCCD”) confirmed that the District experienced a data breach stemming from unauthorized access to its computer system. As a result, the personal and sensitive information of students and employees was compromised. The investigation confirmed that between December 7, 2021 and January 10, 2022, files containing sensitive employee and student data may have been accessed or removed from the District’s network. Click to read entire article.

Regulation Updates

Indiana Amends Breach Notification Law to Require Notification Within 45 Days

Indiana has amended its breach notification law to require entities to notify individuals “without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.” Click to read entire article.

Canada

Experts call for better IT security after MLA admits he hacked Alberta vaccine records website

An Edmonton MLA’s intentional breach of Alberta’s COVID-19 vaccine records website should motivate the province to better safeguard its IT systems against hackers, cybersecurity experts say. Click to read entire article.

UK

Ransomware Attacks Soar by 100% in 2021

The study from international law firm RPC found that the number of incidents handled by the Information Commissioner’s Office (ICO) rose from 326 in 2020 to 654 in 2021. The verticals most frequently impacted by attacks in 2021 were: finance, insurance and credit (103), and education and childcare (80). Click to read entire article.