Privacy Advisor

Breach Roundup

Former Regulator Warns Companies to Develop Response Plan

November 1, 2013

By Angelique Carson, CIPP/US

A former Department of Justice cybercrime prosecutor says organizations should develop a “defensible response” to data breaches and fraud incidents because it’s likely they’ll next face a regulatory investigation or legal action, Bank Info Security reports. It’s advice the companies involved in this week’s breach roundup may want to take into consideration.

Breaches

Hackers broke into database service MongoHQ using the compromised username and password of an administrator, eWeek reports. The hackers made off with the data of a “limited number” of users, according to MongoHQ.

In Missouri, Boone Hospital Center has begun notifying 125 patients that an employee working with an affiliated clinic may have accessed their personal information, including birthdates, Social Security numbers and medical diagnoses, eSecurity Planet reports.

In Minnesota, Allina Health has started to notify patients that their personal health information was improperly viewed by a certified medical assistant. More than 3,000 patients were affected, though it is not believed the information has been used nefariously. The medical assistant has since been fired.

Insurance company Fidelity Life says a USB stick with sensitive data on about 1,200 clients was stolen from an employee’s car. The data included personal bank account numbers on people who had investments with a recent acquisition, Tower Health and Life.

In South Carolina, about 33,000 residents have enrolled in the state’s new identity theft protection service. Those eligible for protection had their data exposed in last year’s hacking of the state Revenue Department. A new study indicates that of 16 million victims of payment card information breaches in 2012, more than 25 percent were also victims of identity theft. The report found that retailers are the prime targets for payment card breaches, and that’s a trend that doesn’t look to be changing soon.

A recent data breach at Adobe impacted at least 38 million users, the company says. The stolen data was posted last weekend to AnonNews.org. Adobe has been contacting those who’s encrypted password information was stolen and urged them to reset their passwords, KrebsonSecurity reports.

Settlements and Legal Actions

Supermarket chain Schnuck Markets has recently agreed to a proposed class-action settlement following a breach involving 2.4 million credit and debit cards earlier this year, eSecurity Planet reports. The chain will pay each affected customer up to $10 for each card hit with a fraudulent charge and $10 an hour for “up to three hours of documented time spent dealing with the breach.”

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds, Law360 reports. Attorneys say the settlement is “groundbreaking” and will likely “serve as a template for other plaintiffs in class actions over data breaches,” the report states.

Finally, Dark Reading reports the U.S. Attorney’s Office has charged an alleged hacker in the UK with breaching thousands of computer systems in the U.S. and elsewhere.

Read More by Angelique Carson:
Fordham Law Develops Privacy Curriculum for Middle Schoolers
LIBE Adopts Compromise Amendments; Sends Draft to Council
This Week in Breach Roundup
Baker: The Grandfather of Privacy Was A Fogey