All posts by Cole Lunz

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

Alerts, Best Practices, California, Data Breaches, Did You Know, Enforcement Actions, HIPAA, OCR, , , ,

OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

California-based Cottage Health agreed to pay $3 million and implement a corrective action plan as part of a HIPAA settlement to resolve allegations it had unintentionally disclosed electronic patient information. This settlement, in December 2018, brought the annual total of collections from OCR enforcement actions to $28.7 million, setting a new annual record.

Two Breaches

Cottage Health, which operates four hospitals in California, notified HHS’ OCR about two breaches of unsecured electronic protected health information (ePHI), one in December 2013 and another in December 2015, affecting more than 62,500 individuals.

The first incident occurred when the security configuration settings of the health system’s Windows operating system reportedly permitted access to files containing ePHI without requiring a username and password. As a result, patient information was available to anyone on the internet with access to Cottage Health’s server. Continue reading OCR Sets HIPPA Enforcement Record with Cottage Health Settlement

Indiana Argues Companies are Deceptive if They Suffer a Data Breach

Alerts, Best Practices, Data Breaches, Data Security Tips, Did You Know, Enforcement Actions, Indiana, Legal, , ,

The Indiana Attorney General recently lodged a claim under the Indiana Deceptive Consumer Sales Act (Indiana Deception Act) that might allow data breach victims to file class action lawsuits against companies and recover $500 or more per person in damages and attorney’s fees.

If successful, this could open the floodgates of litigation against companies who suffer data breaches exposing personally identifying information.

The Indiana Deception Act

The Indiana Deception Act protects consumers from companies who commit deceptive and unconscionable sales acts. Under the Indiana Deception Act, a company “may not commit an unfair, abusive, or deceptive act, omission, or practice in connection with a consumer transaction.” For the first time, the Indiana Attorney General recently argued that this Act should apply to data breaches. Continue reading Indiana Argues Companies are Deceptive if They Suffer a Data Breach

Google Hit with Biggest Ever GDPR Fine

Alerts, Data Breaches, Did You Know, Enforcement Actions, France, GDPR, , , ,

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand.  Continue reading Google Hit with Biggest Ever GDPR Fine

Oklahoma Government Suffers Massive Data Leak

Alerts, Best Practices, Data Breaches, Data Security Tips, Guidance & Best Practices, , ,

Another massive data leak has been discovered.

This latest leak involves an open Oklahoma Department of Securities storage server exposing millions of records, including confidential files linked to FBI investigations, 17 years of email archives and thousands of Social Security numbers.

The breach was discovered by a researcher from cybersecurity specialist UpGuard, while scanning the web with Shodan, a search engine that lets the user find specific types of devices (webcams, routers, servers, etc.) connected to the internet using a variety of filters.

The data was exposed through an unsecured rsync service, a utility for synchronizing files across computer systems. With the IP address, registered to the Oklahoma Office of Management and Enterprise Services, anyone could download the publicly accessible files stored on the server. Continue reading Oklahoma Government Suffers Massive Data Leak

GDPR Complaints Filed Against Netflix & Amazon

Alerts, Best Practices, Data Security Tips, Did You Know, Enforcement Actions, GDPR, Guidance & Best Practices, , , ,

GDPR Complaints Filed Against Netflix & Amazon

Video steaming leaders including Netflix, Amazon, and Apple have been accused of breaking the EU’s data regulations.

General Data Protection Regulation (GDPR) rules mandate EU individuals have the right to access a copy of the personal data companies collect about them through the regulation’s right of access. However, Max Schrems’ privacy group NOYB (None Of Your Business) has said it found that most of the big streaming companies have not fully complied and has filed formal complaints – which, if upheld, could result in substantial fines for the streaming giants.

Lack of Compliance

After GDPR went into effect in May 2018, many of the biggest names in tech including Amazon, Apple, Google and Spotify began allowing customers to download a copy of their data. NOYB, however, has said it found many of these streaming industry leaders did not do enough to comply with the new law. Continue reading GDPR Complaints Filed Against Netflix & Amazon

Australian Parliament Hacked!

Alerts, Australia, Data Breaches, ,

Australian Parliament Hacked!

Australia’s parliament had to reset and change its computer network passwords after an unknown hacker tried to infiltrate and bypass its systems, according to a Reuter’s report.

As stated in the report, both Tony Smith, the speaker of the lower House of Representatives, and Scott Ryan, president of the upper house Senate, said there’s no evidence that any data had been accessed or stolen.

No Stolen Data

“We have no evidence that this is an attempt to influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes,” Smith and Ryan responded in a joint statement.

“Accurate attribution of a cyber incident takes time and investigations are being undertaken in conjunction with the relevant security agencies.” Continue reading Australian Parliament Hacked!

Massachusetts Adds New Requirements to Breach Notification Law

Alerts, Enforcement Actions, Guidance & Best Practices, InfoSec, Massachusetts, New Laws, Social Engineering, ,

Massachusetts Governor Charlie Baker recently signed a new law that amends the state’s data breach notification law.

“The improvements made to Massachusetts laws in this legislation are necessary to protect consumers from the consequences of data breaches that could expose personal information and to give consumers more control over their data and how it is used,” Governor Baker tweeted.

Key New Provisions include: Continue reading Massachusetts Adds New Requirements to Breach Notification Law

Popular Online Game ‘Town of Salem’ Suffers Data Breach Exposing 7.6 Million Players

Best Practices, Data Breaches, Data Security Tips, Guidance & Best Practices, Social Engineering, ,

A data breach at BlankMediaGames (BMG) has affected more than 7.6 million players of Town of Salem, a browser-based online role-playing game.

The Discovery

The incident was disclosed on December 28 to cybersecurity company DeHashed, which received an anonymous email containing evidence of server and database access.

DeHashed says affected data includes usernames, emails, passwords, IP addresses, game and forum activity, and payment information. Some users who paid for features also had billing data compromised.

The Breach

The attackers used a Local File Execution/Remote File Execution (LFI/RFI) attack that injects malicious code into a web server running PHP, DeHashed said.

The attackers then gained unauthorized access to the complete gamer database which contained 7,633,234 unique email addresses (most were Gmail, Hotmail, and Yahoo.com email accounts).

BMG’s Response

A BlankMediaGames developer named Achilles responded on the Town of Salem forums that no credit-card numbers were stolen. Further, Achilles wrote, all passwords were hashed and not stored in plain text.

“The only important data compromised would be your Username/hashed password, IP and email,” Achilles wrote. “Everything else is just game related data.”

Moving Forward

Data is becoming a much larger issue for game developers; just last month, Bethesda Game Studios came under fire for a bug that leaked player information from support tickets.

If you’ve played Town of Salem, you should change your password immediately.

 

German Hacker Uses Twitter to Leak Personal Data of German Politicians

Alerts, Data Breaches, Data Security Tips, Germany, Security, Uncategorized, , ,

A 20-year-old hacker has been using Twitter to leak private details belonging to hundreds of German politicians, celebrities and public figures, including German Chancellor Angela Merkel.

The Twitter Dump

Over several weeks last December, a Twitter account run by an individual calling themselves “G0d”, later identified as a 20-year-old German student,  posted links to the sensitive information, which included email addresses, phone numbers, and personal chats. The data dump was finally noticed by a German publican on January 3rd.

The account, which was quickly shut down, had more than 18,000 followers and described its activities as “security researching” and “satire and irony”. Google and Bitly also pulled the plug on the blogs and links the hacker had used to host files containing the information. Continue reading German Hacker Uses Twitter to Leak Personal Data of German Politicians

Florida Contractor Physician Group Pays $500K in HIPAA Settlement

Alerts, Court Ruling, Enforcement Actions, Florida, HIPAA, , ,

A Florida-based contractor physician group will pay $500,000 to settle alleged HIPAA violations after data on more than 9,000 patients was posted online.

Advanced Care Hospitalists PL (ACH), which provides internal medicine doctors to hospitals and nursing facilities, has also agreed to a corrective action plan as part of the HIPAA settlement, the Department of Health and Human Services announced.

Alleged HIPAA Violations

Between November 2011 and June 2012, ACH worked with an individual who claimed to be a representative of Doctor’s First Choice Billings Inc. for billing services. This person provided services to ACH using First Choice’s website and its branding but operated without knowledge of the Florida-based company’s owner, according to HHS.  Continue reading Florida Contractor Physician Group Pays $500K in HIPAA Settlement