Tag Archive for: people

Nearly 3M people hit in Harvard Pilgrim healthcare data theft • The Register

/in


Infosec in brief Nearly a year on from the discovery of a massive data theft at healthcare biz Harvard Pilgrim, and the number of victims has now risen to nearly 2.9 million people in all US states.

Pilgrim’s problems were first admitted last year after a March ransomware infection that affected systems tied to the health services firm’s commercial and Medicare Advantage plans. While the intrusion occurred on March 28, 2023, it wasn’t discovered until April 17. Pilgrim says it believed customer data was extracted in the interim period.

“After detecting the unauthorized party, we proactively took our systems offline to contain the threat,” Harvard Pilgrim said in its latest notification letter sent out this month. “We notified law enforcement and regulators and are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.”

Names, physical addresses, phone numbers, birth dates, clinical information including lab results, and social security ID numbers were all compromised, Harvard Pilgrim said. 

The latest notification letters mark the fourth time Harvard Pilgrim has updated the total number of victims. An update in February put the total number at 2,632,275 individual records exposed; now it is reporting a total of 2,860,795 people. 

As is usually the case in these sorts of dramas, credit monitoring and identity protection services are being offered, and the business doesn’t believe any of the stolen data has been misused as a result of the theft – that it knows about at least. 

It’s not uncommon for victim numbers to increase during the course of an investigation, though 2.8 million is a lot of people and may not be the final tally yet.

“Our investigation is still underway and we will continue to provide notification in the event we identify additional individuals whose information may have been impacted,” a spokesperson told The Register.

Critical vulnerabilities: A very Cisco week

There weren’t a ton of critical vulnerabilities to report this week, though Cisco did have a pretty busy few days with a series of updates going out for IOS and other products.

Source…

Personal data of 2.4m people and The Block votes allegedly stolen

/in








MediaWorks hack claims: Personal data of 2.4m people and The Block votes allegedly stolen

































































































































ZB
ZB


























Source…

FTC slams Blackbaud for “shoddy security” after hacker stole data belonging to thousands of non-profits and millions of people

/in


Data and software services firm Blackbaud’s cybersecurity was criticised as “lax” and “shoddy” by the United States Federal Trade Commission (FTC) in a damning post-mortem of the business’s February 2020 data breach.

According to the FTC, Blackbaud’s poor security breach in February 2020 led to a hacker accessing the company’s customer databases and stealing personal information of millions of consumers in the United States, Canada, the UK, and the Netherlands.

Blackbaud’s affected customers are mainly non-profits, such as healthcare agencies, charities, and educational organizations.

Data stolen by the hacker included unencrypted personal information, such as consumers’ and donors’ full names, ages, dates of birth, social security numbers, addresses, phone numbers, email addresses, financial details (bank account information, estimated wealth, and identified assets), medical and health insurance information, gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment details, salaries, education, and account credentials.

The security failure was exacerbated by Blackbaud not enforcing its own data retention policies, causing customer data to be kept for years longer than necessary. Blackbaud also retained data of former and potential customers for years longer than required.

All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to expose the stolen data. The company paid 24 Bitcoin (worth US $235,000) to the hacker, but was not able to verify if the deleted the data.

The poor data retention practices were not the FTC’s only complaints about Blackbaud’s handling of the incident.

The FTC criticized the company for not notifying customers of the breach for two months after detection, saying Blackbaud had “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation.”

According to Blackbaud’s customer breach notification of July 16, 2020, “The cybercriminal did not access credit card information, bank account information, or social security numbers… No action is required on your end because no personal information about your constituents was…

Source…

Hack on Defunct Ambulance Firm Affects 912,000 People

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Healthcare

Archived Data Stolen 2 Months After Sale of Business Affects Patients, Employees

Marianne Kolbasuk McGee (HealthInfoSec) •
January 3, 2024    

Hack on Defunct Ambulance Firm Affects 912,000 People
A data theft involving archived records of defunct firm Fallon Ambulance has affected nearly 912,000 patients and employees. (Image: Fallon)

A defunct ambulance company is notifying nearly 912,000 patients and employees that their archived records were compromised in an early 2023 data theft hack. The firm previously provided emergency care in the Boston region and administrative services to affiliated transportation companies.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

In a report to Maine’s attorney general on Dec. 29, Transformative Healthcare said its Fallon Ambulance Services subsidiary – which ceased operations in December 2022 – had experienced a hacking incident that was discovered on April 21, 2023, but appears to have started months earlier, extending from Feb. 17 to April 22.

Affected files contained information such as name, address, Social Security number, medical information – including COVID-19 testing or vaccination information – and information provided to Fallon in connection with employment or application for work, Transformative said.

While Fallon was no longer operating, the ambulance firm maintained an archived copy of data previously stored on its computer systems “to comply with legal obligations,” Transformative said in the breach notice.

“While Fallon currently has no…

Source…