Top Stories
$228 Million Privacy Ruling Against Rail Giant Is ‘Wake-Up Call’ for Third-Party Risk - WSJ
A jury’s award of $228 million to truck drivers whose fingerprints were scanned without proper consent signaled that businesses can’t blame data violations on vendors, privacy lawyers say.
EyeMed’s $4.5 Million Cyber Fine Shows Ramped-Up Regulation of Financial Firms
The New York State Department of Financial Services last week said its investigation found the insurance firm broke state rules by failing to implement multifactor authentication for its email system and allowing nine employees to share login credentials to the affected mailbox.
Medibank Acknowledges Data Breach Including Medical Data
The company, Australia's largest private health insurer with 3.9 million customers, has over the course of a week transformed from being confident that it repelled hackers to being apologetic after disclosing Thursday that the incident it first detected Oct. 12 is a data breach.
Medibank now says it's been contacted by a criminal claiming to have taken 200 gigabytes worth of data from the company - sharing as proof records from 100 policies that contain information such as diagnostic codes, full names and addresses, and the location of medical service delivery. The company says the hacker claims to also have obtained payment card data, but it hasn't verified the claim's veracity. Customer-facing systems remain online but may be temporarily disrupted by security operations.
Breaches
Microsoft leaked 2.4TB of data belonging to sensitive customer. Critics are furious | Ars Technica
Microsoft is facing criticism for the way it disclosed a recent security lapse that exposed what a security company said was 2.4 terabytes of data that included signed invoices and contracts, contact information, and emails of 65,000 current or prospective customers spanning five years.
Health system data breach due to Meta Pixel hits 3 million patients
Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients.
The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information.
HHS Investigates Hack at Pennsylvania Healthcare Provider
An unauthorized party accessed files in Keystone's technology systems between July 28 and Aug. 19, compromising clinical and personal information related to 235,237 patients.
Healthcare Data Breach Impacts 13 Anesthesia Providers, 380K Individuals
Breach notifications have been scarce, but one media notice from Anesthesia Associates of El Paso, explained that the breach impacted the practice’s unnamed management company.
“Information stored in the Management Company’s system could include some combination of patient names, addresses, health insurance policy number, Social Security numbers, payment information, and health information such as treatment and diagnosis,” the notice explained.
Security
BD Totalys™ MultiProcessor-Hardcoded Credentials
Medical tech manufacturer Becton, Dickson & Co. said its BD Totalys MultiProcessor, which screens for cervical cancer, can be exploited by hackers to access, change or delete patient data through the device's hard-coded credentials. The company said an upgrade due by the end of the year will fix the problem.
Many Healthcare Orgs Suffer IT Outages After Ransomware Attacks
A Trend Micro study found that 86 percent of surveyed healthcare organizations hit by ransomware attacks had experienced IT outages.
US govt warns of Daixin Team targeting health orgs with ransomware
CISA, the FBI, and the Department of Health and Human Services (HHS) warned that a cybercrime group known as Daixin Team is actively targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.
Privacy
Google sued over biometric data collection without consent
The Texas AG says that Google allegedly used products and services like Google Photos, Google Assistant, and Nest Hub Max to collect a vast array of biometric identifiers, including voiceprints and records of face geometry since 2015.
Truck Drivers Win Lawsuit Against BNSF for Unlawful Fingerprint Scans - Fleet Management - Trucking Info
The company must pay $228 million in damages to Illinois truck drivers who sued the railroad in 2019 under the state's strict biometrics privacy law that requires organizations to obtain permission from individuals before collecting data such as eye or fingerprint scans.
Europe
Greek DPA imposes 20M euro fine on Clearview AI for unlawful processing of personal data
On July 13, Greece’s data protection authority, the Hellenic Data Protection Authority, imposed a fine of 20 million euros on U.S.-based company Clearview AI for violating multiple provisions of the EU General Data Protection Regulation.
German Cybersecurity Head Dismissed for Alleged Russia Ties
Germany's minister of the interior dismissed Arne Schönbohm, who until Tuesday was the longtime head of the government agency responsible for securing the federal government from cyberthreats.
Misc
"Voice biomarker" tech analyzes your voice for signs of depression
Software that analyzes snippets of your speech to identify mental health problems is rapidly making its way into call centers, medical clinics and telehealth platforms.