Issue 51 May 26th 2023

Breaches

Data Breach at Debt Collection Agency Impacts Multiple Healthcare Providers

R&B Corporation of Virginia, also known as Credit Control Corporation (CCC), reported a data breach to the Maine Attorney General’s Office that impacted more than 286,000 individuals. CCC is a business associate to a variety of healthcare organizations.

2M Individuals Impacted by Healthcare Data Breach at Apria Healthcare

Nearly 2 million patients were notified by Apria Healthcare about a healthcare data breach that dates back to April 2019, during which hackers infiltrated their computer systems and accessed personal health information (PHI) over a series of months

Cyberattack of Amazon's PillPack compromised user health info

An unauthorized person used customer emails and passwords to log into PillPack customer accounts, over 3,000 of which contained prescription information. Social Security numbers and payment information were not involved in the attack, according to the online pharmacy.

NY AG Fines Practice Management Firm $550K in 2020 Breach

Amherst, New York-based Professional Business Systems Inc., which does business as Practicefirst Medical Management Solutions, in January 2019 failed to apply a software update from its firewall provider to patch a critical vulnerability, said New York Attorney General Letitia James in a statement Tuesday.

CommonSpirit Ups Cost Estimate on Its 2022 Ransomware Breach

Hospital chain CommonSpirit upped its estimate of the financial toll incurred by a ransomware incident last fall that disrupted patient services at some of its facilities for weeks, saying the incident cost it an estimated $160 million.

Security

Cybersecurity Chiefs Navigate AI Risks and Potential Rewards - WSJ

Security chiefs say the benefits of artificial intelligence are clear, but that the promises and risks of early generative AI are overblown.

KY Health System Suffers Cyber Incident

Kentucky-based Norton Healthcare is responding to and recovering from a cyber incident that began on May 9 and led to longer phone wait times and delays in network-related capabilities. The health system’s initial notice stated that its information services team noticed suspicious network activity on May 9 and also received a faxed communication containing demands and threats.

Privacy

New options for anonymization ahead?

The question of what constitutes "personal data" touches on the foundation of data protection law, as it determines whether or not the GDPR and other data protection laws apply. Notwithstanding, the circumstances in which a natural person is "identifiable," and personal data can therefore be processed, are far from clear. In particular, the concept of anonymization remained clouded for decades, with EU data protection supervisory authorities and national courts holding anonymization is virtually impossible as long as someone, even a third party, can identify the respective person (referred to as the "absolute" concept of identifiability).

Europe

Meta fined GDPR-record 1.2 billion euros in data transfer case

The fine, which is the highest to date under the nearly five-year-old EU General Data Protection Regulation, was accompanied by an order requiring Meta Ireland-owned Facebook to suspend future transfers of personal data to the U.S. within five months of the DPC's decision and to bring its processing operations into compliance "by ceasing the unlawful processing, including storage, in the U.S. of personal data" of EU and European Economic Area users within six months of the DPC's notification to Meta.

Misc

Unlawful data processing claims: An insurance perspective

Privacy-related claims are on the rise, and they have focused on the wrongful collection of personal data. In turn, insurance carriers scrutinize companies' security practices and assess the types of data they collect and how it is used. Insurance carriers increasingly require supplemental applications to specifically address how policyholders collect personal data.