OIG deems federal agencies' info security programs 'not effective'

(Apr 24, 2019) The U.S. Department of Health and Human Services’ Office of the Inspector General found the information security programs of four agencies were “not effective,” HealthITSecurity reports. The OIG reviewed the programs of HHS, the U.S. Food and Drug Administration, Centers for Medicare and Medicaid Services, and National Institutes of Health. In its annual Federal Information Security Management Act audit, the OIG writes the four entities have worked to improve their security programs; however, th... Read More

Introducing the IAPP's 'CCPA Rights and Obligations Tool'

(Apr 23, 2019) The Westin Research Center has released a new tool to help IAPP members understand the California Consumer Privacy Act. The “CCPA Rights and Obligations Tool” organizes the act’s consumer rights and business obligations around the different phases of interaction with a consumer described in the act — initial disclosure and notice requirements and receipt and response to a consumer request — the act’s enforcement provisions, and its security obligations. The tool is intended to help privacy profe... Read More

Introducing our new “CCPA Requirements and Obligations Tool”

(Apr 23, 2019) The Westin Research Center has released a new tool to help IAPP members understand the California Consumer Privacy Act. The “CCPA Rights and Obligations Tool” organizes the act’s consumer rights and business obligations around the different phases of interaction with a consumer described in the act — initial disclosure and notice requirements and receipt and response to a consumer request — the act’s enforcement provisions, and its security obligations. The tool is intended to help privacy profe... Read More

Database exposes addiction treatment information for 145,000 patients

(Apr 22, 2019) An unsecured online database exposed 4.91 million documents containing sensitive health information belonging to an estimated 145,000 patients seeking treatment at several addiction rehabilitation centers, CNet reports. Discovered after independent researcher Justin Paine entered keywords into the Shodan search engine, records included patient names and details of treatments. Having notified the treatment center of the data breach, the data has since been removed from public view. "I found this ... Read More

University settles $5.26M class action over hard drive theft

(Apr 22, 2019) Washington State University has negotiated a $5.26 million settlement over a potential data breach from 2017, The Spokesman-Review reports. The possible breach involved a stolen hard drive featuring the personal information of nearly one million people. Plaintiffs in the class suit claimed the burglary, which is still unsolved, was due to the university's negligent storage of the hard drive in an unsecure area. “While Washington State University disputes the claims made in the suit, the universi... Read More

Class-action lawsuit filed following medical marijuana data breach

(Apr 19, 2019) A class-action lawsuit has been filed against Sunniva and Natural Health Services for an alleged breach of medical marijuana customers’ data, CTV Edmonton reports. The lawsuit claims 34,000 individuals may have been impacted by the breach. Diamond & Diamond Lawyers, the firm representing the victims, stated diagnostic results, health care numbers, medical data and questionnaires were among the compromised information. “We have been working with privacy protection and law enforcement authorit... Read More

Insurers citing war exemptions to avoid cyberattack claims

(Apr 17, 2019) Insurers have used war exemptions to avoid claims related to cyberattacks, The New York Times reports. Food company Mondelez International and pharmaceutical company Merck were both victims of the NotPetya incident in 2017. Both companies were told by insurers their claims would not be accepted as their losses were deemed collateral damage in a cyberwar. The insurers’ stance solidified after the U.S. government determined Russia was behind the cyberattack. Mondelez and Merck are both in the mids... Read More

DHS warns of potential enterprise VPN hacking

(Apr 15, 2019) The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has warned four enterprise virtual private network app providers of system vulnerabilities, Fortune reports. The agency and the CERT Coordination Center, a nonprofit internet emergency response team, issued an advisory to Cisco, Palo Alto Networks, Pulse Secure and F5 Networks regarding the incorrect storage of cookies by each VPN app, which hackers could use to access a person's private computer. Rather ... Read More

IBM study shows cybersecurity gaps, privacy focus

(Apr 12, 2019) IBM reports a number of privacy-related takeaways from "The 2019 Study on the Cyber Resilient Organization," the company's global survey of 3,600 security and IT professionals conducted by the Ponemon Institute. IBM's biggest observation from the survey was 77% of organizations do not have a companywide cybersecurity response plan, while 54% does not regularly test the plans that are in place. The survey went on to show 78% prioritizes a company's ability to keep data private, and only 20% trust... Read More

Study: Two-thirds of hotel websites leak customer data to third parties

(Apr 10, 2019) A study conducted by Symantec found two-thirds of hotel websites inadvertently leaked customers' personal information and booking numbers to third parties, Reuters reports. Symantec analyzed 1,500 hotel websites in 54 countries. Researchers found the leaks occurred when the hotel sends confirmation emails with links to direct booking information. Third parties, such as social media platforms, search engines and advertising services, receive the customer data via the reference code attached to th... Read More