All across the country, state governments are getting serious about data protection. Following the lead of California, state legislatures are strengthening existing data breach notification requirements and enacting new consumer privacy laws:
- Last week, right in the middle of the Baltimore Ransomware attack, Gov. Larry Hogan signed the MARYLAND Personal Information Protection Act (MPIPA). The bill requires businesses to conduct investigations as soon as they discover or get notified of a breach of the security of a system. It also requires companies to contact those affected by the security breach, no later than 45 days after the investigation gets finalized.
- Meanwhile, the NEW YORK Senate approved an amendment that would strengthen the state’s data breach notification law. The bill is known as the Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act. Much like California’s impending data privacy law, SHIELD extends not just to New York businesses, but to any company that holds sensitive data on New York residents. SHIELD now goes to the New York State Assembly for approval.
- Speaking of CALIFORNIA, lawmakers are scrambling to amend the California Consumer Privacy Act (CCPA) before it goes into effect on Jan. 1, 2020. Earlier this month, the California State Assembly passed numerous amendments meant to modify and clarify parts of the new law. Those amendments will now go to the California State Senate, and then to the Governor.
- Finally, the ILLINOIS General Assembly recently approved an amendment to the state’s Personal Information Protection Act (PIPA). The updated law requires companies that handle personal data to implement and maintain security measures.
In this week’s data breach news roundup, we look at cyberattacks on Philadelphia courts, New Hampshire police officers and the Illinois Department of Natural Resources. However, we start with the biggest hack of the month so far.
U.S. DATA BREACH NEWS (June 1-16, 2019)
Between Aug. 2018 and Mar. 2019, hackers accessed the billing and medical data of the American Medical Collection Agency. Customer PII including credit card numbers, bank account details, medical data and Social Security numbers even showed up on the dark web.
AMCA handles billing for numerous health care companies, but Quest Diagnostics, a blood-testing business, was the first to get mentioned in the media. Nearly 12 million Quest Diagnostic patients got affected by the AMCA breach, the second Quest-related breach in the last three years.
The next company to make the headlines in the AMCA breach was LabCorp, a medical testing company headquartered in Burlington, North Carolina. Shortly after the Quest Diagnostics data leak became public knowledge, LabCorp announced that 7.7 million of its customers were affected by the same breach. Like Quest, LabCorp used AMCA as a third-party collections agency.
KFGO-TV News: Opko Health says over 400,000 customers likely affected by data breach
Miami-based Opko Health became the next company to admit to getting affected by the AMCA hack, affecting roughly 422,000 customers of the company’s BioReference Laboratories. Shares of Opko Health, which used AMCA as a billing collections vendor, fell by 1.5 percent within hours of the breaking news. Other companies affected by the AMCA data breach include Carecentrix and Sunrise Laboratories.
Michigan Attorney General Dana Nessel became the first public official to request more information about the AMCA data breach. “We have no idea how far and wide this breach has gone,” said Nessel. Meanwhile, Hartford Business reported that the attorney generals for Connecticut and Illinois followed shortly behind, also pressing AMCA for more details.
Well, that didn’t take long. Only a few days after the AMCA data breach became public, Florida woman Traci Diana Julin filed the first of what is sure to be many related lawsuits. Due to a chronic condition, Julin used Quest Diagnostics for routine testing services between 2015 and 2019.
Oregon State University officials said that a phishing attack on a university employee’s email account exposed the data of 636 students and family members. A forensic review of the hack found that names, birthdates, Social Security numbers and other PII were accessible. The university offered 12 free months of credit monitoring services to the exposed individuals.
The First Judicial District website, employee email accounts and electronic filing got temporarily suspended when a virus got found on a “limited number” of computers. Online criminal dockets remained unaffected, but the civil docket went down, forcing the court to accept civil filings in person at Philadelphia City Hall and other public buildings.
Not every data breach is the result of a malicious cyberattack. Some breaches stem from untrained and inattentive employees. In this case, personally identifiable information related to watercraft registrants got mistakenly uploaded to Open Data Portal by an employee of the Illinois Department of Natural Resources.
As part of an ongoing web mapping project, VPNMentor discovered an unsecured server belonging to The Pyramid Hotel Group, a hotel management company. The database was leaking security logs with details about operating systems, internal networks, security policies and staff-related PII. This leak affected hotels in New York, Florida and Ireland.
A New Hampshire police department employee got targeted in a malware attack in March 2017, and data from the breach eventually got found for sale on the dark web. The breach occurred in March 2017, but the Weare Police Department only got notified in January 2018, and the resulting investigation laster over a year.
According to a new study from the digital identity platform ForgeRock, data breaches cost American organizations over $654 billion and exposed nearly 3 billion consumer records in 2018. Healthcare, financial services and the government were the most targeted industries. You can read ForgeBook’s full U.S. Consumer Data Breach Report on the company’s website.”
Health insurance company Premera Blue Cross agreed to pay $32 million to resolve a lawsuit related to a May 2014 cyberattack that affected the PII of 10.6 million people. As part of the settlement, Premera also committed $42 million to strengthen the company’s information security posture.
The online sock retailer Bombas got fined $65,000 for not telling customers about a data breach that compromised credit and debit card data. Bombas discovered the malware-related breach in Nov. 2014 but did not inform customers until May 2018. Once again, Bombas agreed to invest in stronger cybersecurity as part of the settlement.
Over one million accounts got leaked from this retro gaming forum. Compromised information includes e-mail addresses, IP addresses, usernames and passwords. The incident took place in Apr. 2018, but it is only now coming to light.
On May 24, Grand Rapids-based Mercy Health sent notifications to roughly 1,000 patients affected by a data breach. The hospital discovered that a vulnerable private server exposed patient information, including names, addresses, emails, insurance information and dates of birth, as well as a “limited number” of Social Security numbers.
Photos of travelers and license plates taken by CBP got stolen when a federal subcontractor got breached last month. The subcontractor previously transferred the images to their company network without permission from the CPB.
Two weeks after a virus infected the courthouse network of this Pennsylvania county, many county services remain impacted. At the county correctional facility, prisoners can not order items from the commissary. More human resources were brought into the jail to perform tasks manually. Meanwhile, numerous agenda items for a county council meeting got scrapped due to the outage.
The popular online invitations website recently announced a malicious data breach. Back in February, an authorized person acquired an inactive Evite.com data file that stored old user data. Some of the exposed information included names, usernames, passwords, email addresses, dates of birth, phone numbers and mailing addresses. Evite introduced new cybersecurity protocols since the breach, and users will be required to reset passwords.
Following a ransomware attack reported at a factory in Belgium, airplane part supplier ASCO shut down production in four countries. Over 1,000 workers at plants in Belgium, Germany, Canada and the United States got sent home for the week on paid leave.