Monzo Contacts 500,000 Customers Following PIN Security Breach
Monzo has contacted 500,000 customers following a data breach which saw customer PINs accessible to employees of the digital bank for more than a year. The incident, which may constitute a breach of the EU’s General Data Protection Regulation (GDPR) breach, has prompted Monzo to advise them to change their PINs. On August 2, Monzo discovered that nearly a quarter of all of its UK customers PINs weren’t being securely stored. The PINs...
Hackers Targeting US Utilities Sector with Spear Phishing Campaign
Hackers impersonating the US National Council of Examiners for Engineering and Surveying (NCEES) are targeting business in the US utility sector through a new phishing campaign. Between July 19 and July 25 2019, the hackers sent phishing emails to three utility companies in the US. In each case, the hackers attempted to infect the organization’s computers with a new malware variant called LookBack. The email has many of the...
Department of Veteran Affairs Office of Inspector General Uncovers Security Failings at Californian VA Center
The Department of Veteran Affairs Office of Inspector General (VA OIG) has discovered severe security failings at the Tibor Rubin VA Medical Center in Long Beach, California. A recent inspection by the VA OIG uncovered security vulnerabilities related to medical device workarounds and multiple compliance issues with the Veterans Health Administration (VHA) and VA policies. The vulnerabilities were first identified following an...
Perry County Medical Center Notifying Patients Following Phishing Attack
Perry County Medical Center, Inc. d/b/a Three Rivers Community Health Group, has announced that it is notifying patients following a phishing attack which saw patient data compromised. Perry Country Medical Center, a health care centre based in Linden, Tennessee, noticed suspicious activity on an employee email account on May 28, 2019. The IT department were quickly notified, and it was discovered that an unauthorized individual had...
Presbyterian Healthcare Services Notifies 183,000 Patients Following Data Breach
Presbyterian Healthcare Services is notifying 183,000 patients that an unauthorised individual accessed their personal data. The hackers gained access to the patient data after successfully fooling several employees into handing over their login credentials through a phishing campaign. The attack occurred on May 6, 2019, and the unauthorised access was not noticed until June 9, giving the hacker over a month of access to the...
Wise Health Phishing Attack Affects 36,000 Patients
Wise Health System is sending breach notification letters to 36,000 patients following a phishing attack on their system. Wise Health System is a health care system with over 1,900 employees based in Decatur, Texas. The breach occurred on March 14, 2019, when a hacker sent phishing emails to employees of the organization. Several employees were fooled by the spoof emails and responded, allowing the hacker to harvest their login...
Phishing Attack at St. Croix Hospital Compromises PHI of 21,000 Patients
St. Croix Hospice is notifying 21,000 patients that their protected health information (PHI) may have been compromised in a phishing attack. St. Croix Hospice is a provider of hospice care in Minnesota and Wisconsin. On May 10, suspicious email activity was detected on an employee’s email account. St. Croix Hospice contracted a third-party cybersecurity firm to assist with an investigation into the email account. Investigators...
HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in Louisiana
In response to the Tropical Storm Barry that made landfall in Louisiana on July 13, the Secretary of the US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties. The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019. The waiver only applies to covered entities in areas where a public health emergency has been declared. Furthermore, the waiver...
Marriott Fined £99 Million for Breach Affecting 7 Million UK Residents
The UK Information Commissioner’s Office has fined Marriott International Inc £99 million under GDPR for a data breach that affected seven million UK residents. The ICO released the statement for intention to fine Marriott on July 9, only a few days after the announcement that BA was given a record-breaking £183 million for a data breach affected 500,000 people. BA’s data breach was also related to violations of the EU’s General Data...
City of Griffin Officials Lose $800,000 Business Email Compromise Attack
The City of Griffin, Georgia, has revealed that it made two payments totalling $800,000 to scammers following a series of business email compromise attacks. BEC campaigns are a form of a phishing attack in which the cybercriminal impersonates a high-ranking member of an organisation, such as CEO or CFO, to obtain sensitive information from the employees at the company. These credentials, often login details or financial information,...
Microsoft July 2019 Patch Tuesday
Microsoft has issued patches for 77 vulnerabilities this Patch Tuesday. Of the vulnerabilities, 15 were rated critical and two were actively exploited zero day vulnerabilities. Six of the vulnerabilities patched this month had been previously disclosed to the public. The two actively exploited zero-days are both privilege escalation vulnerabilities. The first – CVE-2019-0880 – affects the call-handling abilities of a 64-bit printer...
ICO Hits BA with £183.39 million GDPR Fine for 2018 Data Breach
British Airways (BA) has been hit by a GDPR fine of £183.39 million by the UK Information Commissioners Office (ICO) for a 2018 data breach. The ICO investigation revealed that hackers stole the data of more than half a million BA customers, including sensitive information such as login credentials, payment card numbers, names, and addresses. The ICO stated that BA had ‘poor security arrangements’ in place and did not adequately...
Dominion Health Data Breach Affects 3 Million Members
Dominion National is notifying patients of a data security incident that first stated in 2010 and has affected nearly 3 million members. Dominion National is a health insurer, health plan administrator, and administrator of dental and vision benefits based in Virginia. Staff at the organization discovered the breach after an internal alert on their system notified them of suspicious activity. After an initial investigation, Dominion...
UChicago Faces Lawsuit for Sharing Patient Data with Google
UChicago Medicine faces a potential class-action lawsuit for allegedly sharing patient information with Google with having the correct authorization to do so. The lawsuit names UChicago Medicine, UChicago Medical Center, and Google, and was filed by Matt Dinerstein, a former patient of UChicago Medicine. The suit claims patient information that still had personal identifiers attached was shared with Google without patient...
Summa Health Notifies 10,000 Patients of Data Security Incident
Summa Health is in the process of notifying 10,000 patients of a data security incident which resulted in sensitive data being compromised. On May 1, 2019, Summa Health, based in Akron, Ohio, noticed suspicious activity on its email platform and immediately investigated the situation. They quickly discovered that an unauthorised individual had gained access to the several employee email accounts and therefore potentially could access...
Flaw in Dell SupportAssist Leaves Millions of PCs vulnerable
A newly-identified privilege escalation flaw in Dell SupportAssist could leave millions of Dell PCs and laptops vulnerable attack. Threat actors could employ malicious software to elevate their privileges to administrator level and hijack the device for their nefarious purposes. The flaw affects both the home 9 (v 3.2.1 and prior) and business (v 2.0) versions of the SupportAssist utility, previously known as Dell System Detect. This...
Kingman Regional Medical Center Notifies Patients Following Website Data Breach
Kingman Regional Medical Center (KRMC) is in the process of notifying patients that their sensitive data may have been compromised following the discovery of a flaw on its website which may have allowed unauthorized users to access patient data. KRMC became aware of the security issue on April 8, 2019. Their IT team immediately took steps to shut down the website. An investigation was launched into how such a flaw was introduced to...
Boxes of Patient Medical Records found Abandoned in Chicago
Boxes of patient medical records have been found abandoned in a former medical centre in the Chatham area of Chicago, Illinois. Clean-up crews have been brought in to assist in the clean-up operation which started hours after Ald. Roderick Sawyer (6th) requested the emergency clearing of the documents, which contain a wealth of sensitive patient information. The medical records were dumped outside the former Medical Professional Home...
Franciscan Health Patient Data Compromised in Incident Involving Former Employee
Franciscan Health is notifying 2,200 patients that their sensitive data may have been compromised in a security incident involving a former employee. Franciscan Health, a health system operating 14 hospitals in Indiana and Illinois, discovered a former employee was accessing the data of 2,200 patients without the appropriate authorization to do so during a routine privacy audit. On May 24, 2019, Franciscan Health publicly confirmed...
What is a GDPR DPO?
The appointment of a data protection officer (DPO) is an essential part of complying with the EU’s General Data Protection Regulations. However, what exactly is the role of a DPO? Moreover, who needs to hire one? In this article, we explore the role of a DPO in helping an organisation achieve their compliance goals. DPO: An introduction GDPR requires data controllers and processors who run processing operations which require regular...
Union Labor Life Insurance Phishing Attack Affects 87,000 Individuals
A phishing attack at Union Labor Life Insurance (ULLI) has compromised the protected health information (PHI) of more than 87,000 individuals. ULLI, a subsidiary The Ullico Inc., discovered the attack shortly after it commenced on April 1, 2019. The IT department successfully managed to revoke unauthorized access within 90 minutes of the account being compromised. The attack was attributed to an employee responding to a compelling...
Alabama Woman Awarded $300,000 for Privacy Breach at Medical Center Enterprise
A jury has awarded a woman $300,000 in damages following a privacy breach at Medical Center Enterprise (MCE), Alabama. Amy Pertuit’s patient rights were violated when a physician at MCE accessed and disclosed her protected health information to a third party without the proper authorization or consent to do so. This is a breach of HIPAA’s Privacy Rule, which addresses how sensitive patient data may be accessed and disclosed by covered...
Microsoft June 2019 Patch Tuesday
Microsoft has issued patches for 88 vulnerabilities this patch Tuesday. Of the vulnerabilities, 20 were rated critical. One servicing stack and 4 advisories were also released in the update. Microsoft stated that there was no evidence to suggest that threat actors had been actively exploiting the vulnerabilities in the wild. SandboxEscaper, a security researcher, identified four of the vulnerabilities and made the public aware of...
THH Paediatrics Fires Nurse for Accessing Data of 16,500 Patients without Authorization
Takai, Hoover & Hsu has terminated a nurse for accessing the protected health information (PHI) of 16,542 without the correct authorization to do so. The healthcare provider, owned by Takai, Hoover & Hsu and based in Germantown, MD, has stated that the information may have been passed on to a third-party and used for fraud and other criminal activities. On April 10, 2019, Takai, Hoover & Hsu, P.A. was notified by county...
ICO Declares HMRC Voice Recordings to be ‘Unlawfully Obtained’
Her Majesty’s Revenue and Customs (HMRC) has agreed to delete more than five million voice recordings after the UK Information Commissioner’s Office (ICO) declared the data had been unlawfully obtained. HMRC collected for use in a voice authentication service, introduced in 2017. The callers were asked to repeat the phrase ‘my voice is my password’, which HMRC would then use to authenticate the identity of...
Today’s Vision Medical Records Found in Texas Dumpster
The medical records of Today’s Vision patients have been found in a dumpster in Tomball, Texas. Today’s Vision is an optometry services provider with over 50 independently owned clinics. More than 20 boxes of records patients and employees were found in a dump behind the strip mall in Tomball. Soon after the discovery of the boxes, Tomball police retrieved the records from the dumpster. They are now securely stored in the...
Medical Informatics Engineering Settles with OCR for $100,000 for 2015 Data Breach
Medical Informatics Engineering Inc (MIE) has agreed to a $100,000 settlement with HHS’s Office for Civil Rights for a 2015 data breach affecting 3.5 million individuals. MIE, an Indiana-based provider of electronic medical record software and services, experienced the data breach when hackers compromised the server of its NoMoreClipboard subsidiary. The hackers had access to the server for 19 days between May 7 and May 26, 2015. The...
HHS Issues Clarification On Business Associates Liability
On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities. According to the HHS Fact Sheet on direct liability of business associates, fines can be incurred...
Microsoft May 2019 Patch Tuesday
Microsoft has issued patches for 79 vulnerabilities this May 2019 Patch Tuesday. Of the vulnerabilities, 22 were rated critical. Adobe also issued patches for 84 vulnerabilities, 50 of which were critical. One critical flaw addressed by Microsoft left affected users vulnerable to WannaCry-style malware attacks. This vulnerability (CVE-2019-0708) is in Remote Desktop Services and can be exploited by sending specially crafted requests...
Businesses Still Using Unencrypted USB Devices to Store Data One Year After GDPR
It has been revealed that businesses are still storing data on unencrypted USB devices despite the risk of incurring significant GDPR fines for doing so. ESET, an IT security company, and Kingston Technology, a leading provider of technological solutions, surveyed over 500 businesses based in the United Kingdom for the report. The data revealed that 55% of business surveyed don’t encrypt devices such as USBs. Jake Moore, a...
Oracle WebLogic Server Vulnerability Exploited Using Sodinokibi Ransomware
A vulnerability in Oracle WebLogic Server is being exploited in the wild by a new ransomware variant named Sodinokibi. On April 26, Oracle released an out-of-band patch to address the vulnerability (CVE-2019-2725). There have been several reported cases of the vulnerability being exploited in the wild. Oracle WebLogic Server is part of Oracle Middleware, a widely-used digital business platform. Despite the threat posed by the...
Touchstone Medical Imaging Agrees to £3 million Settlement with OCR
The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a $3 million settlement with Touchstone Medical Imaging following a 2014 data breach. The Franklin, TN-based diagnostic medical imaging services company agreed to the settlement to resolves multiple violations of HIPAA Rules. They have further agreed to adopt a corrective action plan to rectify its compliance issues. However, the settlement comes...
Inmediata Breach Notification Letters Sent to Incorrect Addresses
A mailing error at Inmediata has seen breach notification letters being sent to the incorrect addresses. Inmediata was sending the breach notification letters after it was discovered that a webpage that should have only been accessible to Inmediata employees was indexed by search engines and therefore publicly available. This security breach was the result of misconfigured security settings. The compromised webpage contained patient...
Maximum Penalties for HIPAA Violations Changed by HHS
The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers. The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act increased the...
Denmark’s DPA Recommends Fine for Taxi Company GDPR Violation
Denmark’s Data Protection Authority Datatilsynet has recommended that taxi company Taxa 4×35 be fined for violating the General Data Protection Regulations (GDPR). The DPA approved a fine of 2.8% of the company’s revenue, amounting to €160,754, for the violation. The maximum fine that can be levied against an organisation for a GDPR violation is 4.5%. While the fine issued was less than this maximum (which would have equated to...
Microsoft Customer Email Information Compromised Following Support Agent Breach
Microsoft has announced that customer email information has potentially been accessed by an unauthorised third-party following a security incident at a support agent. The hacker used compromised support agent credentials to access customer data and is thought to have been able to access the data for three months. During this period, hackers could access affected users’ email addresses, email subject lines, folder names, and email...
Southern Hills Eye Care Ransomware Attack Reported
Southern Hills Eye Care in Sioux City, Iowa, has announced that a recent ransomware attack on their facility may have compromised patient PHI. Ransomware is a variant of malware that prevents which hackers use to extort victims. The malware prevents the victim from accessing their computer, or files on their computer until a ransom is paid. Hackers often use phishing attacks to deliver malware to the victim’s device. The hacker sends...
New Sextortion Scams Identified Following Record Numbers Reported in 2018
Sextortion scams have become increasingly common in recent years, with record numbers being reported in 2018. These types of attacks are potentially very lucrative for an attacker, due to the highly embarrassing or compromising nature of the material. In many cases, the hacker holds no sensitive information on the individual in question; however, simply the small possibility that the hacker does indeed have anything compromising is...
Brookside ENT and Hearing Center Announces Closure Following Ransomware Attack
Michigan-based Brookside ENT and Hearing Center has announced its closure following a ransomware attack on their facility resulted in all of their patient files being permanently destroyed. The practice-run by just two doctors-lost access to patient records, appointment schedules, payment information, and other sensitive after a hacker gained access to their network and infected it with ransomware. As with most ransomware attacks, the...
DePaul Reports Phishing Compromised Employee Email Account
The assisted living facility provider DePaul has announced that a successful phishing attack on its networks has compromised patient data. DePaul, which operates facilities in New York, North Carolina, and South Carolina, discovered the breach on February 1, 2019. IT security staff immediately took steps to secure the compromised account and block the unauthorised individual’s access. Phishing attacks against health organisations have...
OpenVPN Study Highlights Risks Posed by Remote Workers
A recent survey conducted by OpenVPN highlights the potential cybersecurity risks posed by remote workers. OpenVPN is a virtual private network solution provider that allows businesses to extend their VPNs securely. They surveyed 250 IT leaders, “from the manager level through the C-suite”, to ascertain whether allowing employees to work remotely posed a risk to the organisation’s cybersecurity and whether the benefits of allowing the...
DC Attorney General Proposes Stricter Data Breach Notification Laws
Washington D.C. Attorney General Karl. A. Racine has proposed stricter data breach notification laws. He anticipates that the new laws would provide greater protection to DC residents should their data be compromised in a data breach incident. AG Racine introduced the Security Breach Protection Amendment Act on March 21, 2019. This Act updates the definition of ‘personal information’, which means that the types of information for...
Report Released on Issues of Healthcare Data Collected by Non-HIPAA Covered Entities
The healthcare and fitness tech industry is booming, with millions of users across the US using these devices and apps to track everything from their weight, sleeping habits, heart rate, and food consumption. Some of this information is similar to that collected by healthcare organisations when monitoring their patients. However, there is a vast difference in the responsibilities of these organisations and the healthcare tech industry...
Microsoft CEO calls for Global GDPR-like Data Privacy Rights
The CEO of Microsoft has called for the implementation of GDPR-legislation worldwide to enhance global attitudes to data privacy rights. Microsoft CEO Satya Nadella made the statement during a live interview at the World Economic Forum in Davos Switzerland. He called for world leaders to treat data privacy as a human right, and legislation should be enacted to protect this right. Commenting on the EU’s recent GDPR legislation, a...
14,000 Main Line Endoscopy Center Patients Affected by Phishing Attack
A phishing attack at Main Line Endoscopy Centers has compromised the sensitive data of over 14,000 patients. Main Line Endoscopy Centers, a network of outpatient endoscopy facilities in the Malvern, Bala Cynwyd, and Media regions of Pennsylvania discovered the attack on January 30, 2019. Investigators were unable to determine when the attacker first gained access to the account. The attacker appears to have gained access to the email...
SpamTitan Email Security Solution Now Features Sandboxing and DMARC Authentication
Protecting against zero-day malware and advanced phishing attacks can be a major challenge for SMBs and managed service providers (MSPs). To better protect against these advanced threats, TitanHQ, the leading provider of email security solutions to the SMB market, has added two new features to its award-winning spam filtering solution: SpamTitan. These features were introduced to help SMBs and MSPs serving the SMB market improve their...
IRS Launches 2019 Dirty Dozen Campaign
The Internal Revenue Service has launched a tax-related phishing awareness campaign. The campaign is designed to inform taxpayers fo the twelve most common tax scams, known as the ‘Dirty Dozen”. Each tax season, the IRS raises awareness of the most common phishing campaigns in an attempt to protect taxpayers, businesses, and tax professionals. Cybercriminals are particularly active in the period from January to April as they attempt...
Hacker Compromises Employee Email Accounts at Rutland Regional Medical
Rutland Regional Medical has revealed that a hacker compromised nine employee email accounts following a cyber attack on their systems. Rutland Regional Medical, based in Rutland City, is the biggest community hospital in Vermont. A staff member discovered the attack on December 21, 2018, after noticing that their email account had been hijacked to send a large number of spam emails. Rutland Regional Medical’s IT department was...
Data Breach at Rush University Medical Center Affects 45,000 Patients
Rush University Medical Center has announced that a data breach incident at a financial services vendor has compromised the PHI of 45,000 of their patients. The financial services vendor informed Rush of the incident on January 22, 2019. A member of staff at the vendor was caught sharing a file containing patient PHI with an unauthorised individual in May 2018. Rush has stated that the types of information that individual accessed may...
Unauthorised Individual Gains Access to St. Francis Health System Patient Data
The Bon Secours St. Francis Health System has announced that unauthorised individual gained access to some of their patients’ protected health information (PHI). The hacker compromised the systems of Milestone Family Medicine, a medical facility based in Greenville, SC. Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019. SFPS officials learned of the breach on January 4, 2019....