Top Stories
2022 Cyberattack Has Cost CommonSpirit $150 Million So Far
The ransomware incident that disrupted hospital chain CommonSpirit's operations for at least a month last fall has cost the organization $150 million in lost revenue, remediation and other expenses so far.
Notice of Privacy Incident | mscripts.com
A unit of Cardinal Health Inc. that provides mobile pharmacy technology is notifying patients that their personal and medical information was accessible online without authorization for more than six years, starting in September 2016. Mscripts said after it learned about the problem with its cloud storage setup, it changed the access settings and began an investigation.
Healthcare giant CHS reports first data breach in GoAnywhere hacks
A subsequent investigation revealed that the resulting data breach affected the personal and health information of up to 1 million patients.
Breaches
Acting AG Henry Secures $400,000 Settlement with DNA Diagnostics Center After Data Breach Exposed Pennsylvanians’ Personal Info – PA Office of Attorney General
DNA Diagnostics Center Agrees to Strengthen its Network, Improve Data Security Practices, and Conduct Regular Assessments of its Computer Systems
UMass Memorial Health Center Resolves Healthcare Data Breach Lawsuit With $1.2M Settlement
The proposed settlement will resolve allegations relating to a 2020 healthcare data breach at UMass Memorial Health Center that impacted patient PHI.
Lead Article: Private Data Breach Litigation Comes of Age | Quinn Emanuel Urquhart & Sullivan, LLP - JDSupra
Companies face yet another major risk after a data breach—one which is increasing exponentially—data breach litigation brought by private plaintiffs, often in the form of class actions brought by sophisticated plaintiffs’ counsel who specialize in such cases. Private civil litigation is now a probability, not a possibility, after a major data breach. 36 major data breach class actions were filed in 2021, a 44% increase from 2020. Private plaintiffs typically race to the courthouse to jockey for position, with complaints now brought on average within four weeks of a breach announcement.
Security
Medical-Device Makers Face Push to Protect Their Wares From Hacks - WSJ
Mounting cyberattacks against hospitals and clinics and a regulatory push are increasing the pressure on medical-device manufacturers to improve the security of their products.
DDoS Attacks Continue to Threaten Healthcare Cybersecurity
HC3’s latest brief shed light on the threat of Distributed Denial of Service (DDoS) attacks on healthcare cybersecurity, noting that they may have “detrimental impact on the ability to provide care.”
6 Networks Named in Nationwide Health Data Exchange Effort
The six organizations, including electronic health record maker Epic, pledged by year-end to meet the framework for interoperability laid out in the Trusted Exchange Framework and Common Agreement. An organization designated by the Department of Health and Human Services is known as a Qualified Health Information Network - and should be able to transmit and receive patient data regardless of the underlying EHR provider.
Windows 10 20H2 for Enterprise reaches end of service in May
Microsoft says Windows 10, version 20H2 for enterprise and education users will reach the end of service (EOS) in three months, on May 9, 2023.
Privacy
A researcher tried to buy mental health data. It was surprisingly easy.
Sensitive mental health data is for sale by little-known data brokers, at times for a few hundred dollars and with little effort to hide personal information such as names and addresses, according to research released Monday.
Europe
MEPs urge European Commission to reject EU-US adequacy
The European Parliament Committee on Civil Liberties, Justice and Home Affairs does not want the European Commission to extend an adequacy decision to the U.S. based on the proposed EU-U.S. Data Privacy Framework. The committee made as much clear in its draft opinion on the EU-U.S. adequacy published Feb. 14.
Misc
Ransomware Attack Pushes City of Oakland Into State of Emergency - SecurityWeek
The city of Oakland, California issued a local state of emergency late Tuesday as a result of the ongoing impact following a ransomware attack that first hit city IT systems on Wednesday, February 8.
City of Oakland declares state of emergency in wake of ransomware attack | Engadget
While Oakland previously assured residents that 911 dispatch and fire emergency services weren't affected by the breach, its police department warned people that the attack has delayed response times. It's now encouraging people to file reports online for non-emergency complaints. Oakland also had to close some of its buildings and is now asking people to email government offices' service counters before coming to visit.
Cyber Insurers Unlikely to Offer Higher Coverage Limits Despite Better Conditions - WSJ
Most major cyber insurers are willing to write insurance for their largest customers up to around $15 million, said Jeremy Gittler, practice leader and head of cyber for the Americas at AXA SA’s XL reinsurance unit, which issues insurance for insurers. But few are likely to start issuing policies for $20 million or $50 million, which large companies sometimes need to cobble together full coverage from multiple carriers.
This is what increasing data protection laws mean for you | World Economic Forum
China's stringent 2022 data privacy regulations have many multinational organizations scrambling to comply or reorganize. But 2023 is expected to be a banner year for data protection as a number of countries are proposing or considering initiatives, including India, Brazil, Russia and possibly the United States, where individual states are creating a patchwork of rules.
OneTrust CEO Kabir Barday sued by co-chair, report says - Atlanta Business Chronicle
Founder and CEO of data security unicorn OneTrust LLC has been sued by the co-chairman for making decisions without informing the board.