<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=217513&amp;fmt=gif">

DSM Enhances IT Infrastructure of Florida Law Firm Hill and Ponton

Download the Case Study

Data in DistressBreaking News on Cyberattacks and Recent Data Breaches

Knowledge is power, but many organizations choose to ignore cyber threats—damaging and even destroying their business. Stay up-to-date on the latest cyberattacks and data breaches to gain a better understanding of the ongoing threat to companies, government, and healthcare organizations by subscribing to Data in Distress today.

Subscribe to Data in Distress

Breaking News

Zero-day Exploits of On-Premises Versions of Microsoft Exchange

As you have probably seen reported, Microsoft has detected multiple Zero-day exploits of on-premises versions of Microsoft Exchange in limited and targeted attacks.

Below are our recommendations for handling these threats (if you are a DSM managed IT services client we are executing these steps for you):

  • Scan your environment for compromise
  • Install the security update immediately for the appropriate Exchange CU (Cumulative Update)
  • Ensure all anti-virus and malware scanners are up-to-date and active
  • Remove access from the internet to hybrid-Exchange mgmt only servers

Update Details:

The security updates are only available for the following specific versions of Exchange:

The vulnerabilities affect Microsoft Exchange Server, not Exchange Online. However, if you are running a Hybrid organization you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only.

Additional Resources:

We will continue to provide updates and information as necessary.

Facebook Exposes Millions of User Passwords Internally

Up to 20,000 Facebook employees became privy to the passwords of millions of Facebook users, who were able to view up to 600 million passwords stored in plain text.

Security researcher Brian Krebs, of Krebs on Security, released the breaking news, stating that exposed passwords could date as far back to 2012.

Facebook claims to have resolved the "glitch" which showed the unencrypted passwords on its internal network. The social network also said it had discovered the issue in January as part of a security review.

Scott Renfro, a Facebook engineer, stated that their internal investigated showed there were no "signs of misuse.”

Recent Data Breach at Zoll Medical Exposes Data of 277K Patients

Zoll Medical, a manufacturer of medical devices and software, revealed on Monday that the personal information of 277,319 patients was exposed during a recent server migration. The breach included names, addresses, date of birth, and medical information. Some patients’ social security numbers were also exposed.

The medical company would not divulge whether the breach was accidental or the result of a hack, just that it occurred sometime between November 8 and December 28, 2018.

"At this point, Zoll is not aware of any fraud or identity theft to any individual as a result of this exposure," a company release stated. "The vendor has since confirmed that all information has now been secured."

According to the Health and Human Services Data Portal, this is the first data breach that Zoll has reported in the past two years.
The exposure continues the recent rise in healthcare data breaches.

Recent Data Breach Affects Thousands of Michigan Healthcare Customers

The information of more than 600,000 healthcare customers of the Detroit-based Wolverine Solutions Group in Michigan may have just been compromised.

The Wolverine Solutions Group includes Blue Cross Blue Shield of Michigan, Health Alliance Plan, McLaren Health Care, Three Rivers Health, and North Ottawa Community Health System.

According to the company website, breached customer information may include name, phone number, address, date of birth, social security number, and insurance and medical information.

“Wolverine is offering two levels of identity protection to individuals affected by the breach,” said Michigan Department of Insurance and Financial Services (DIFS) Director Anita G. Fox. "If you receive a letter from the company, we urge you to read it carefully and consider enrolling in the free credit monitoring service.”

Additional step Michiganders can take to further protect their information includes:

  • Pulling their free credit report at annualcreditreport.com or calling 877-322-8228.

  • Putting a fraud alert on their credit file (visit the Federal Trade Commission’s identity theft website here).

  • Putting a security freeze on their credit file.

  • Using two-factor authentication on their online accounts whenever it’s available.

For additional information on Michigan data breaches, residents should view the Michigan Attorney General’s consumer alert. A toll-free information hotline has also been made available, at 877-412-7152.

Government Data Breaches

Hackers Expose Personal Data of Hundreds of German Officials

An unknown Twitter account published the personal information of hundreds of German officials, including Chancellor Angela Merkel, triggering an emergency crisis meeting of the National Cyber Defense Agency. 

While it remains uncertain whether the breach stemmed from a hack or a leak, it's still highly troubling for the country, which has become a prime target for hackers in recent years (just last year, a cyberattack compromised the foreign ministry's computer network).

"This data breach ...is alarming, but at the same time it's not surprising," said Mike Hart at commercial cyber security firm FireEye, citing previous hacks. "It highlights the need for government to take cyber security very seriously."

Twitter shut down the account hours after news of the hacking came to light.

Recent Data Breach on Click2Gov Payment System

Adding insult to injury, Canadians who paid a parking ticket in the city of Saint John, New Brunswick, have just been notified of a data breach within the parking system—and that it's been there since May 2017.

In a statement issued this week, officials stated that the breach involved “multiple instances when an unknown source gained access to confidential customer information on the city’s server through the Click2Gov payment system.”

The breach exposed first and last names, mailing addresses, and credit card information. It was discovered by a cybersecurity analyst that had been hired to assess vulnerabilities within the system.

In the wake of the discovery, the city has issued an apology to victims and warned them to monitor their credit card activity. The online parking payment system has also been temporarily shut down.

Phishing Email Attack Targets Australian Government

That didn't take long.

Following a banner year for breaches in 2018, the first big data breach of the new year has happened. Thankfully, those of us in the United States can (temporarily) breathe a sigh of relief.

The attack occurred in Australia, originating from a phishing email delivered to a government employee. It resulted in the accidental release and theft of the personal data of approximately 30,000 Australian civil servants.

The stolen data included work emails, phone numbers, and job titles. According to officials, banking and financial information was not captured by hackers.

Easy to execute and highly profitable to hackers, phishing attacks are on the rise and are becoming more sophisticated than ever, costing mid-size companies an average of over $1.5 million per year.

Recent Data Breach at USPS

On November 26, it was revealed that a security flaw in the USPS app, Informed Visibility, which allows customers to see their mail before it arrives, exposed the data of more than 60 million users. The app’s vulnerability left users’ account details, including usernames, IDs, and email and home addresses, available to anyone with basic knowledge of the data elements processed by a regular web browser. Though it has been confirmed that user passwords were not accessible, hackers could potentially use the other readily available information to deploy mass or targeted phishing emails to obtain even more sensitive information from victims.

While the USPS has since patched the vulnerability, what has many people outraged is that an anonymous security researcher reported the vulnerability to the USPS over a year ago, but it wasn’t until cybersecurity journalist Brian Krebs exposed it that they finally took action.

Business Data Breaches

Recent Facebook Data Breaches Have Social Media Giant Under Fire

Ever since the 2017 Cambridge Analytica scandal of 2017, Facebook and other social sites have been under fire. Cambridge Analytica, of course, is the British data mining and political consultancy firm that was accused of influencing the 2016 United States election due to privacy and data breaches that were the fault of Facebook. This resulted in probes by the Federal Trade Commission and two-days worth of questioning in which Mark Zuckerberg himself was hauled in front of US Congress.

Now, the final report published under this investigation has been released. In it, the UK’s Digital, Culture, Media and Sports Committee, which is part of the Parliament, is asking for the creation of a regulatory body that would have the legal authority to monitor, control, and penalize social media and IT companies. Facebook is singled out in the report, and is criticized for abusing privacy policies and sharing data with third-parties for profit.

Facebook responded to the report today, telling British lawmakers the company is “open to meaningful regulation” as well as a code of ethics to take on the spread of fake news and abuse of users' data. Facebook's public policy manager, Karim Palant, added that Facebook is "not the same company" it was a year ago and has already made substantial changes to its procedures.

33 Colorado Cybersecurity Breaches Identified Following New Consumer Data-Privacy Law

Colorado’s new state data-privacy law, which requires organizations to report consumer data breaches within 30 days of the incident, has led to 33 companies notifying over 90,000 consumers of a data breach. While this may seem like a suspiciously low number of consumers, it’s unknown as to how many organizations are actually complying with the law. Plus, companies are only required to alert the attorney general’s office if the breach impacts more than 500 Coloradans.  

The law, which began as House Bill 1128, was easily passed in the state legislature in late 2018 and is one of the strictest in the nation due to the 30-day notification period (Florida is the only other state requiring a 30-day notification, although a 15-day extension may be allowed if an organization can show good cause for it).

“A lot of times, you don’t know the full scope of what information was affected and you have to get cyber forensics to get in there,” says Esteban Morin, a Denver-based attorney specializing in privacy and data security. “That can take a lot of time, but you’re on this very rigid clock.”

India SBI Bank Data Breach: Fact or Fiction?

Last week, reports that SBI—India’s largest bank—was using an unprotected server that would give anyone who knew where to look to access to millions of customers' financial information, appear to be untrue.

SBI initially denied requests for information from media outlets, but has now spoken. And what they had to say came as a welcome surprise to millions of account holders.

“The matter has been thoroughly investigated," the bank stated. "SBI would like to assure all its customers that their data is safe and secure and SBI is fully committed to ensuring this.”

SBI also carried out an investigation, which has concluded that SBI’s servers are fully protected, and that no breach occurred.

SBI also had some words for outlets first reporting the supposed breach: “SBI has taken serious note of news articles appearing in the media regarding customer data being exposed to risk."

Yahoo Data Breach Settlement Rejected

Yahoo isn’t saying “woo-hoo!” this week.

A proposed class-action settlement in which Yahoo would have paid up to $85 million to resolve claims related to major data breaches affecting approximately 200 million users between 2012 and 2016 has been rejected.

According to U.S. District Court Judge Lucy Koh, the proposed settlement was “improper,” and Koh believes Yahoo is still not disclosing the full details of its data breaches.

“Yahoo misrepresents the number of affected Yahoo users by publicly filing an inflated, inaccurate calculation of users and simultaneously filing under seal a more accurate, much smaller number,” Koh wrote in her 24-page decision. “Yahoo’s history of nondisclosure and lack of transparency related to the data breaches are egregious. Unfortunately, the settlement agreement, proposed notice, motion for preliminary approval, and public and sealed supplemental filings continue this pattern of lack of transparency.”

In 2013, cyber-criminals stole data, including names, email addresses, passwords, phone numbers, and dates of birth, from an estimated 3 billion Yahoo accounts, but the company didn’t disclose this until December of 2016. In 2014, another breach affected approximately 500 million accounts, with similar information being stolen; again, Yahoo kept the breach under wraps until September of 2016. In the third breach, occurring between 2015 and 2016, cyber-criminals gained access to user passwords by forging cookies.

What’s next for Yahoo and the victims of the breaches? Only time will tell.

GDPR Results in 95,000 Complaints Over Data Breaches (and a Big Fine for Google)

Last week, Google was slapped with a €50 million fine (about $57 million) for failing to comply with GDPR transparency rules. The tech giant is guilty of deploying personalized ads without first obtaining user consent, and the fine marks the largest penalty to date under GDPR rules (Google is appealing the decision).

But that’s just the tip of the iceberg. Only eight months after the adoption of the EU privacy law, Europe's data protection regulators have logged more than 95,000 complaints regarding possible data breaches.

European Commission members expect that number to grow as Europeans become more aware of their rights under the new regulations. "What is at stake is not only the protection of our privacy, but also the protection of our democracies and ensuring the sustainability of our data-driven economies," they said.

Sonic Data Breach: Drive-In, Data Out

The Sonic Drive-In is trying to put controversy in its rear-view mirror.

In 2017, Sonic officials were warned of “unusual activity” among customers using credit or debit cards.

In response, the company offered this:

“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able." 

This didn't sit well with KrebsOnSecurity. The popular cybersecurity investigation site stated, “The ongoing breach may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores."

Patrons panicked, resulting in a lawsuit within one week. It paid off; customers now appear to be eligible for a cash payment.
 
A new Sonic notice states, "The Settlement includes all residents of the United States of America who made a purchase at any one of the 325 impacted Sonic Drive-In locations and paid using a credit or debit card from April 7, 2017 through October 28, 2017,"
 
For a full list of stores affected, visit Sonic's data breach site here.

Recent Data Breach at BlackRock Financial Exposes the Personal Information of Thousands

Goliath just took a hit.

Founded in 1988, BlackRock, Inc., quickly rose to the top, becoming the world's largest asset management firm. However, a recent accidental post revealing the confidential information of thousands of financial adviser clients on its website has the company reeling.

The data, which included names and email addresses of financial advisers who buy BlackRock’s exchange-traded funds (ETFs) on behalf of customers, showed up via links within the company’s web pages on Dec. 5, 2018. This leak, eventually discovered by Bloomberg this week, have since been removed. However, with assets of almost $6 trillion, nerves are rattled.

“We are conducting a full review of the matter,” BlackRock spokesman Brian Beades stated. “The inadvertent and temporary posting of the information relates to two distribution partners serving independent advisers and does not include any of their underlying client information.”

Despite the financial sector’s insistence on strict security protocols, breaches continue to cause damage. JPMorgan Chase & Co. was one such victim. In 2014, the data of nearly 80 million clients was exposed due to a data breach. In the aftermath, the company went on an IT security spree, doing everything it could to retain customers and assure them they were safe.

Is that enough? “It’s a permanent battle,” says Beades, but he resolves that BlackRock, Inc. will continue to fight.

John Reed Stark, a cybersecurity consultant and former member of the SEC, had this to say of the BlackRock breach. “Data security incidents are inevitable. The most important thing in this kind of situation is about the response from the firm, and whether they’re communicating accurately about what happened.”

Collection #1 Data Breach Exposes Millions of Emails and Passwords on MEGA Cloud Service

If you’ve just memorized your password, it may be time to change it again.

IT security researcher Troy Hunt has discovered that almost 22 million passwords and over 770 million email addresses were released on the popular cloud storage service MEGA. Cyber criminals posted a link to the password and email address dump on a hacking forum in a folder called “Collection #1.” It has since been taken down.

According to Hunt, the emails and passwords come from thousands of sources, dating all the way back to 2008.  He found the collection after being alerted by various sources, and even discovered old email addresses and passwords of his own within the file. While his were no longer in use, others may not be so lucky.

Hunt has placed the compromised email addresses and passwords on his website, haveibeenpwned. Anyone can check to see if their email has been breached, and learn what next steps they should take.

"It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web," he added.

Individuals reusing passwords is thought to be the cause of the recent HSBC Bank breach. Credential stuffing, a term coined by former Deputy Assistant Secretary of Defense Sumit Agarwal, refers to hackers automating logins for thousands or millions of users on one site utilizing previously discovered credential pairs from another site. Due to people’s habit of reusing passwords across multiple sites, hackers are almost guaranteed access into multiple accounts.

Recent Data Breaches Plaguing Kitchen Goods Company OXO

Out of the frying pan, into the fire.

Award-winning kitchen and housewares giant OXO has been notifying customers of data breach over the past few months, and it’s just released another notification.

In a breach disclosure letter filed with the State of California, OXO said that the data security incident compromised the personal information of its customers, including names, billing and shipping addresses, and credit card information.

OXO identified three specific time frames:

  • June 9, 2017 — Nov. 18, 2017

  • June 8, 2018 — June 9, 2018

  • July 20, 2018 — Oct. 16, 2018

The breach is believed to be caused by Magecart malware which was found on its OXO’s e-commerce website. Magecart is also responsible for data breaches affecting the e-commerce sites of BevMo, British Airways, Newegg, and Ticketmaster UK.

OXO is currently working with security consultants and forensic investigators, who are looking at past vulnerabilities and taking measures to secure the site against future incidents.

Recent Marriott Data Breach Has Company Facing $8.8 Billion in Fines

The good news for Marriott? Latest reports show the recently revealed data breach involved just over 380 million guest records versus the 500 million initially estimated.

The bad news? The Marriott is now under investigation in several countries within the European Union, where local authorities are participating within the framework of the Government Data Protection Regulation (GDPR).

The GDPR is a very complex set of rules and regulations that dictates how data is stored, processed, shared, and managed. It also addresses the security of data, and what companies must do in the event of a security breach. Global companies that fail to follow GDPR regulations can face hefty fines.

So what’s at stake for the hotel and resort giant? With a global yearly revenue of of nearly $23 billion in 2017, the EU could impose fines of 4%, or approximately $8.8 billion, far greater than the initial estimate of $3.5 billion predicted by analysts.

Even worse, if it’s discovered that Marriott was aware of the breach before it was revealed, the United States Securities and Exchange Commission may also pursue legal action for causing financial losses to company investors. 

Marriott continues to try to make amends, offering compensation to breach victims and creating a website where they can get answers as well as a call center, 877-273-9481.

Neiman Marcus Data Breach Settlement Reached

Further demonstrating the importance of strong data security, the attorney generals of 43 states have reached a $1.5 million settlement with the Neiman Marcus Group. The multi-state settlement resolves an investigation into a 2013 breach that compromised thousands of customer credit cards.

During the investigation, investigators discovered that the breach compromised approximately 370,000 credit cards, and that nearly 10,000 of those were used fraudulently.

In addition to the payout, Neiman Marcus was also required to overhaul its information security measures to prevent data breaches in the future.

Malware Attack Targets Tribune Newspapers Including NY Times, LA Times

It looked like nothing more than a simple server outage. However, as Saturday, December 29 unfolded, it became clear that the delayed deliveries of major newspapers was due to a malware attack.  

Despite attempts to quarantine the virus, which originated from outside the United States, it quickly spread throughout the Tribune Publishing network, infecting systems critical to production and printing.

The Los Angeles Times, San Diego Union Tribune, Wall Street Journal, New York Times, Chicago Tribune, Baltimore Sun, Orlando Sentinel, and others across the country were affected.

“We believe the intention of the attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information,” said an anonymous source.

Tribune Publishing issued an apology for the delay in news delivery, but were lucky to be able to report that client data had not been breached in this attack.

Recent Data Breach at Marriott

It was announced today, November 30, that Marriott’s guest reservation system was hacked, and the personal information of 500 million guests has possibly been exposed. According to the hotel giant, this more specifically affects the Starwood database which includes the Sheraton, St. Regis, W, and Westin hotels.

According to Marriott: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” The company goes on to say that the payment card information stored within their site was encrypted, and they are unsure as of now if the decryption information was stolen as well.

What is most unsettling about this is that Marriott made this discovery in September 2018, but then learned during the investigation that the unauthorized access to the Starwood database started in 2014. 

Affected guests should receive notification from Marriott over the coming weeks. This massive breach will now become one of the largest corporate data breaches to date.  

Recent Data Breach at Radisson Hotels

Last week, the Radisson Hotel Group—a network of more than 1,400 hotels in more than 70 countries—reported that a data breach within its Radisson Rewards program compromised the personal data of a “small percentage” of members. What’s more worrisome for the hotel group is that those affected were not informed until more than a month later—far beyond the 72 hour notification as required by the European Union’s (EUs) General Data Protection Regulation (GDPR).

For the hotel group, which is headquartered in Brussels within the EU, steep fines could be forthcoming. If the breach is found to have infringed upon the organization’s obligations, the Radisson Group could be fined up to 10 million Euros (over $11 million), or 2% annual global turnover, whichever is higher. If the breach is found to have infringed upon any individual’s privacy rights, the group could be liable for up to 20 million Euros (nearly $22.5 million) or 4% annual global turnover, whichever is higher.

Ross Rustici, senior director of intelligence services at Boston-based firm Cybereason, said the breach will be an interesting test case under the GDPR, which went into effect May 25, 2018. “Each major company that suffers an incident is going to be a test bed for how stringently GDPR gets enforced and what the private sector can actually expect from the regulations,” Rustici said.

Recent Data Breach at HSBC Bank

HSBC Bank, the world’s seventh largest bank, warned approximately 14,000 U.S. customers last week that their personal data, including name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history, was compromised in a breach. The bank did state that despite the breach, it did not appear that any fraudulent activity was carried out using the information.

HSBC believes the breach is the result of a credential stuffing cyberattack. Credential stuffing, a term coined by former Deputy Assistant Secretary of Defense Sumit Agarwal, refers to hackers automating logins for thousands or millions of users on one site utilizing previously discovered credential pairs from another site. Due to people’s habit of reusing passwords across multiple sites, hackers are almost guaranteed access into multiple accounts. "We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts," an HSBC release stated.

Recent Data Breach at Linkedin

Facebook recently skirted a $1.6 billion General Data Protection Regulation (GDPR) fine for the Cambridge Analytica scandal by virtue of the breach happening prior to the European Union’s GDPR implementation. Now, LinkedIn—the “social network of the working world”—has done the same. In a November 23 report released by Ireland’s Data Protection Commissioner, it was revealed that LinkedIn had violated the GDPR, which affects many US-based international companies.

According to the report, LinkedIn used the email addresses of 18 million non-subscribers to place targeted ads on Facebook, in a bid to acquire new users (the report does not explain how LinkedIn acquired the addresses). Just as in the Facebook case, however, the social media giant was engaging in the practice prior to the GDPR implementation, so fines could not be imposed. However, LinkedIn was forced to delete all personal data associated with the incident prior to GDPR implementation, and the company’s head of privacy issued a formal apology.

Recent Data Breach at Dell

On November 28, Dell revealed that in an effort to protect their customer’s personal data, they had no choice but to reset all customer account passwords. This announcement came after Dell learned that there was “unauthorized activity on its network” on November 9, when hackers attempted to gain access to names, email addresses, and passwords from the Dell.com electronics store.

"Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation," the company stated in a press release. "Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.”

While it’s unclear how many accounts were affected, this once again reveals that hackers are trying to obtain personal information from wherever they can, including computing giants like Dell. If you are a Dell.com customer and you use your old Dell.com password for other accounts, the company recommends you change those passwords immediately.

Recent Data Breach at Google+

In March, Google discovered a bug in the application program interface (API) for Google+, the tech giant’s social media platform. The bug had been allowing third-party app developers to access the personal data of not only users who had granted permission, but also the friends of those users since 2015. What has the public most outraged, however, is that while Google uncovered the problem in March, the company failed to disclose the leak to the estimated 500,000 people affected (and the public has spoken; following the announcement, Google shares dropped 1.3% on Monday).

 Why didn’t Google notify the public of the breach? Because it would have invited comparison to the Facebook scandal happening at the time. The Facebook scandal, in which political consulting group Cambridge Analytica gained access to millions of Facebook users’ data without their consent, and led to CEO Mark Zuckerberg being hauled in front of U.S. Congress—was something Google wanted no part in. A Google memo obtained by the Wall Street Journal confirms this: “[disclosure] almost guarantees Sundar will testify before Congress and invite immediate regulatory interest,” the memo said, referring to Google CEO Sundar Pichai.

While it may seem that failure to disclose the breach would be breaking the law, Google found a loophole. In California, where the company resides, data leaks only need to be disclosed if it includes both an individual’s name and Social Security number, ID card or driver’s license number, license plate, or medical or health insurance information. However, because Google only maintains logs of API use for two weeks, it had no way of knowing what information was made available due to the bug. “None of the thresholds for public disclosure were met,” said Ben Smith, Google’s Vice President of Engineering.

Now, the consumer version of Google+ is going dark. No doubt in part because of the breach, but also because of, in Google’s own words in a blog post this week, “the significant challenges in creating and maintaining a successful product” and “low consumer usage.” Google stated that they will wind down the service over the next 10 months to give users time to transition, download, and migrate their data. The company does plan to maintain Google+ for enterprise users, where co-workers can engage in internal discussion on a secure corporate social network.

Healthcare Data Breaches

Recent Data Breach Targets Michigan Healthcare Provider

Healthcare organizations—including hospitals, labs, pharmacies, drug companies, and outpatient clinics—continue to attract the attention of cyber criminals due to the sheer amount of data they possess. Breaches hit the industry hard in 2018, with over six million records being exposed, and it’s sure to continue in 2019.

The latest facility to be targeted is the Sacred Heart Rehabilitation Center in Richmond, Michigan. The center has just notified patients about two phishing attacks that compromised an employee’s email account.

Once the breach was discovered, Sacred Heart launched an investigation and brought on forensic specialists to determine the scope of the attack and determine the amount and type of information that was contained in employees’ email accounts. Ultimately, the organization learned that the email account included patient names, addresses, health insurance information, treatment information, and Social Security numbers.

While the behavioral health provider did not disclose the number of patients affected, it did report that not all patients’ data was compromised. Eventually, Sacred Heart will be required to report the number of patients affected to the Health and Human Services Office to be recorded on their data breach website.

Free credit monitoring and identity theft protection has been offered to patients with compromised Social Security numbers, and Sacred Heart is in the process of retraining employees on cybersecurity issues to avoid future attacks.

Recent Data Breach at Bankers Life

Bankers Life, a subsidiary of CNO Financial Group, and provider of health and life insurance plans with 1.4 million policyholders, was forced to notify more than 566,000 individuals—more than one-third of their clientele—that personal information was exposed in a hacking incident. Information stolen by hackers included names, addresses, dates of birth, insurance policy numbers, insurance type, premium amounts, dates of service, claim amounts, and the last four digits of Social Security numbers.

Prior to alerting policyholders, CNO first reported the incident to the Department of Health and Human Services (HHS), citing an "unauthorized access/disclosure breach.” The insurers stated that employee credentials were compromised, enabling third parties to gain unauthorized access to company websites housing personal data on policyholders and applicants.

According to the HIPAA Journal, this is the fifth largest healthcare data breach of 2018, and it has already made the HHS’s list of major breaches affecting over 500 people, commonly called the "wall of shame." DSM recently covered the biggest healthcare data breaches of 2018, why hackers love the healthcare industry, and how organizations can fight back. Read more here: Healthcare Data Breaches in 2018: A Bad Year for Data Privacy.

Recent Data Breach at UnityPoint Health

In July, UnityPoint Health—a Madison, Wisconsin-based hospital—was forced to notify 1.4 million patients that their records were breached due to a phishing attack. Adding insult to injury, this is the second breach for UnityPoint this year; in April, another phishing attack on staff email accounts compromised the data of 16,000 patients. The attack was carried out by hackers who sent phony emails to employees, impersonating a top executive and requesting access to email accounts. Staff complied, giving the hackers easy access to the confidential records.

The hacked accounts included protected health information, including names, addresses, medical data, treatment information, lab results and/or insurance information. For some of the 1.4 million patients, their payment card, and Social Security number were also included in the breach. 

Government Data Breaches

Main Title

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Pellentesque tristique orci metus, nec ornare purus lobortis in. Aenean vitae pretium diam. Etiam eu pretium erat. Etiam vel euismod enim. Nunc facilisis mi eget dolor molestie tempor. Vivamus gravida porta neque, in faucibus nisi hendrerit eu. Nullam orci turpis, luctus vitae ante eget, aliquam tincidunt neque.

Nullam vitae diam sed lorem aliquam ultrices at ut turpis. Pellentesque porttitor sodales auctor. Cras vulputate pulvinar odio, a rhoncus elit aliquam sit amet. Integer fringilla quam quis neque tincidunt, ut consequat diam tincidunt. Suspendisse at ex sit amet erat laoreet interdum. Maecenas ac dictum mi, id efficitur diam. Sed in mollis neque, ac tempus sem. Morbi diam metus, mattis eu tempor ut, ultricies sit amet eros. Donec sed lectus sit amet nisl tempor auctor. Suspendisse commodo tempus ante sed tempor. Donec sit amet lectus nec odio posuere interdum.

Phasellus sodales lorem elit, blandit suscipit est condimentum sed. Cras aliquam justo eu tellus aliquet, sit amet scelerisque nulla feugiat. Duis in orci ac lorem tristique dapibus tempor at lacus. Donec ut aliquet eros, vel sodales augue. Proin tincidunt ligula augue, ac convallis lorem auctor id. Etiam vitae est in mi auctor malesuada vel ac lacus. Proin sapien arcu, varius a faucibus congue, maximus id arcu. Aliquam interdum, ex ac consequat molestie, elit felis dapibus risus, sit amet vestibulum turpis eros at sem. Morbi congue faucibus ex maximus ultrices. Sed ut leo lacinia risus mattis tempor sit amet ut ante. Nunc et lorem a lacus pharetra bibendum.

Breaking News on Cyberattacks and Recent Data Breaches