The Connecticut legislature has enhanced its data breach notification law, expanding the definition of personal information and shortening the maximum time frame for issuing breach notifications. The new law brings the data breach notification requirements in the state of Connecticut in line with those of other states that have recently updated their own privacy and security laws. The new data breach notification law was unanimously passed by the House of Representatives and the Senate and now awaits state Governor Ned Lamont’s signature.

“Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved,” said Attorney General William Tong. “This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,”

Previously, notification letters were only required for breaches of an individual’s first name or initial and last name in combination with either a state ID card number, driver’s license number, Social Security number, credit or debit card number, or a financial account number with codes or passwords that would allow the account to be accessed.

The definition of personal data has now been expanded to also include the following data elements:

• Taxpayer identification number
• IRS Identity protection personal identification number
• Passport number
• Military identification number
• Other government-issued identification number used for identity verification
• Medical information: Medical history, mental or physical health condition, diagnoses, and treatment information
• Health insurance policy/subscriber number
• Biometric information used to authenticate an individual’s identity: e.g., Fingerprints, voice print, retina or iris image
• Username or electronic mail address if combined with a password or security question and answer that allows the account to be accessed

Previously, businesses experiencing a breach of personal data were required to send notifications to affected Connecticut residents and the state Attorney General within 90 days of the discovery of a breach. That time frame has now been shortened to 60 days, but notifications should be issued without unreasonable delay. If it is not reasonably believed that it will be possible to identify affected individuals and obtain contact information within 60 days, a substitute breach notice is required.

In the event of a breach of login credentials that allows an account to be accessed, electronic or other forms of notifications must be issued that direct affected individuals to change their password or security questions and answers, or take other steps to protect the affected account.

All entities required to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the HITECH Act are deemed to be in compliance with the new data breach notification law if they are compliant with the requirements of those acts.

Any documents or material collected in connection with the investigation of a security breach is exempt from public disclosure, although can be made available to third parties at the discretion of the Attorney General in connection with the furtherance of an investigation.

The amendments to data breach notification law in Connecticut will take effect on October 1, 2021 if the bill is signed by the state governor.

The post Connecticut Legislature Enhances Data Breach Notification Law appeared first on HIPAA Journal.

The Chief Operating Officer of an IT security firm has been charged over a financially motivated cyberattack on Gwinnett Medical Center in Lawrenceville, GA in September 2018.

Vikas Singla, 45, of Marietta, GA is the COO of Securolytics, a network security company in the metro-Atlanta region. On June 8, 2021, Singla was indicted by a federal grand jury for allegedly accessing the systems of the healthcare provider, disrupting its phone and network printer services, and stealing information from a Hologic R2 digitizing device.

According to the Department of Justice, the attack was conducted, in part, for financial gain and commercial advantage. According to court documents at least 10 protected computers were damaged in the attack. It is unclear whether Singla, or his IT company, had any previous business relationship with Gwinnett Medical Center and why the medical center was targeted.

Singla was arraigned in the U.S. District Court for the Northern District of Georgia on June 10, 2021 and was charged with 17 counts of causing intentional damage to a protected computer and one count of obtaining information from a protected computer. Singla faces a maximum sentence of 10 years in jail for each of the intentional damage to a protected computer counts and a maximum jail term of 5 years for the theft of information count.

Singla is not believed to have acted alone. According to the indictment, Singla was aided and abetted by other individuals, although they have not been named. Singla pleaded not guilty to the charges and has been released on bond. The date for the trial has yet to be set.

“Criminal disruptions of hospital computer networks can have tragic consequences,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “The department is committed to holding accountable those who endanger the lives of patients by damaging computers that are essential in the operation of our health care system.”

“This cyberattack on a hospital not only could have had disastrous consequences, but patients’ personal information was also compromised,” said Special Agent in Charge Chris Hacker of the FBI’s Atlanta Field Office. “The FBI and our law enforcement partners are determined to hold accountable, those who allegedly put people’s health and safety at risk while driven by greed.”

The post IT Security Company COO Charged with Cyberattack on Georgia Medical Center appeared first on HIPAA Journal.

The Texas Legislature has followed in the footsteps of California and Maine and has passed a bill that requires the Texas Attorney General to publish notices of breaches of personal data that affect state residents on the state Attorney General’s public-facing website.

House Bill 3746, which was unanimously passed, amends the Texas Business and Commerce Code § 521.053 and calls for the Texas Attorney General to publish notifications of data breaches that have affected 250 or more Texas residents and to update the website to include the notification within 30 days of the notification being received.

Once a company has been listed on the website, the listing must remain in place for 12 months. The listing will be removed provided the individual or company has not suffered any further data breaches affecting 250 or more Texas residents during that 12-month period.

Texas law requires notifications of breaches of system security to be sent to the state Attorney General within 60 days of the breach being discovered. The breach notices must include a detailed description of the nature of the breach, how it occurred, and if any sensitive information was acquired as a result of the breach. The notices must include the number of individuals known to be affected by the breach at the time of issuing the notification to the State Attorney General. Notifications also need to include details of the measures taken regarding the breach, future measures that plan to be taken in relation to be breach, and whether law enforcement is engaged to investigate the breach.

The bill updates existing data breach notification requirements to also require the Attorney General to be notified how many Texas residents have been sent a notification by mail or other direct method of communication at the time the notification to the Texas Attorney General is issued.

The bill now awaits the signature of Texas Governor Greg Abbott. If the bill is signed, it will take effect from September 1, 2021.

The post Texas Legislature Passes Bill Calling for State AG to Establish Data Breach ‘Wall of Shame’ appeared first on HIPAA Journal.

In September 2020, Nebraska Medicine and the University of Nebraska Medical Center discovered their systems had been hacked and malware had been downloaded to its network that gave hackers access to the protected health information of up to 219,000 individuals. The attack forced Nebraska Medicine to shut down its systems causing disruption to operations.

Hackers first gained access to Nebraska Medicine’s systems on Aug 27, 2020 and had access to its systems and patient data for 24 days. Access was terminated by Nebraska Medicine on Sept. 20, 2020. During that time, the lawsuit alleged patient data was exfiltrated by the attackers. The breach affected patients of Nebraska Medicine, Faith Regional Health Services, Great Plains Health, and Mary Lanning Healthcare.

On February 24, 2021, a class action lawsuit was filed against Nebraska Medicine in the Nebraska U.S. District Court by two patients alleging Nebraska Medicine was negligent for failing to maintain an adequate data security system to reduce the risk of cyberattacks and data breaches. The plaintiffs sought damages, restitution, and injunctive relief.

The lawsuit alleged cyber hygiene best practices had not been followed and multiple security failures had contributed to the breach. The plaintiffs alleged Nebraska Medicine had not performed security updates or implemented patches for known vulnerabilities promptly, user account privileges had not been checked, the principle of least privilege was not followed, domain wide, admin-level service accounts were in use, and password policies had not been implemented or followed. The lawsuit also alleged Nebraska Medicine was not properly monitoring its systems for intrusions, hence why it took more than 3 weeks for the intrusion to be discovered.

As a result of those failures, patient data was not adequately protected and the hackers were able to steal a range of sensitive data including patients’ names, contact information, medical record numbers, Social Security numbers, health insurance information, and clinical information, which placed them at an elevated risk of identity theft and fraud.

Nebraska Medicine decided to settle the lawsuit and the proposed settlement has recently been given preliminary approval by a Nebraska District Court judge.

Under the terms of the settlement, all class members will be entitled to claim $300 in cash reimbursements for the time and expenses they incurred while dealing with the data breach. In addition, class members can claim up to $3,000 to cover documented “extraordinary monetary losses” most likely resulting from the data breach. Nebraska Medicine had already offered affected individuals access to complimentary credit monitoring services, with the settlement extending coverage for a further 12 months.

While the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 219,000 individuals, the settlement covers 125,902 patients who were mailed breach notification letters, including 13,497 patients whose Social Security number and/or driver’s license number was compromised.

Nebraska Medicine has also agreed to take several steps to improve security, including enhancing its user-identity, email, and password protocols, limiting remote access to its systems and enhancing security for remote access, and strengthening its network security measures, including updating endpoint security, firewalls, and improving vulnerability management practices. Nebraska Medicine will also undergo more frequent and enhanced risk assessments and will update and enhance its security operations center.  Nebraska Medicine will also cover all legal costs arising from the lawsuit and settlement notices.

A final hearing of approval has been scheduled for September 15, 2021.

The post Settlement to Resolve Nebraska Medicine Data Breach Lawsuit Receives Preliminary Approval appeared first on HIPAA Journal.

A Michigan man has pleaded guilty to hacking into University of Pittsburgh Medical Center human resources databases in 2013 and 2014 and stealing the personally identifiable information (PII) and W-2 data of 65,000 UPMC employees.

Justin Sean Johnson, 30, of Detroit, MI, was a Federal Emergency Management Agency (FEMA) IT specialist known on darknet forums as The DearthStar and Dearthy Star. 6 years after hacking the databases and selling stolen data, Johnson was indicted by a federal grand jury in Pittsburgh and was arrested and charged with conspiracy, wire fraud, and aggravated identity theft.

Johnson initially hacked the Oracle PeopleSoft HR database of UPMC in December 2013 and accessed the PII of 23,500 UPMC employees. Between January 2014 and February 2014, Johnson accessed the databases multiple times each day and exfiltrated PII. Johnson then sold the stolen data on darknet marketplaces such as AlphaBay to criminals who used the data in 2014 to file hundreds of fraudulent 1040 tax returns.

According to a Department of Justice press release, the scheme resulted in fraudulent tax refunds being paid by the IRS totalling approximately $1.7 million. The tax refunds were converted to Amazon.com gift cards that were used to purchase high value goods that were shipped to Venezuela. Johnson was paid approximately $8,000 in Bitcoin for the stolen UPMC employee data.

In addition to the theft and sale of UPMC employee PII, between 2014 and 2017 Johnson stole and sold around 90,000 sets of PII on darknet forums. That information was subsequently used to commit identity theft and bank fraud.

Johnson recently pleaded guilty to 2 counts of a 43-count indictment and now awaits sentencing. Johnson faces a maximum jail term of 5 years and a fine of up to $250,000, together with a mandatory 24-months in jail and a fine of up to $250,000 for aggravated identity theft.

“The healthcare sector has become an attractive target of cyber criminals looking to update personal information for use in fraud; the Secret Service is committed to detecting and arresting those that engage in crimes against our Nation’s critical systems for their own profit,” U.S. Secret Service Special Agent in Charge Timothy Burke.

Three other individuals have pleaded guilty to crimes committed in relation to the scheme. Maritza Maxima Soler Nodarse from Venezuela pleaded guilty in 2017 to conspiracy to defraud the United States in relation to the filing of fraudulent tax refunds. Yoandy Perez Llanes from Cuba pleaded guilty in 2017 to purchasing Amazon.com gift cards to launder the money. Justin. A. Tollefson of Spanaway, WA pleaded guilty in 2017 to the use of stolen identities to file fraudulent income tax returns.

The post Michigan Man Pleads Guilty to Theft and Sale of PII of UPMC Employees appeared first on HIPAA Journal.

The Pennsylvania Department of Health and its COVID-19 contact tracing vendor are being sued over a breach of the personal and health data of 72,000 Pennsylvanians.

The breach in question was announced by Insight Global and the Department of Health on April 29, 2021. Insight Global, an IT service management and staffing firm, had been awarded the contract for the state’s contact tracing program and had been given access to personal and health data to provide those services.

The information was used to contact individuals potentially exposed to COVID-19 to identify and address the need for specific support services and to help slow the spread of COVID-19. Insight Global had implemented secure communication channels for its contact tracers and had security protocols in place, but it was discovered that some employees had “disregarded security protocols established in the contract and created unauthorized documents.” Those documents, including spreadsheets, had been shared between contact tracers using personal email accounts and consumer versions of cloud services such as Google Sheets, which lacked appropriate security controls. That meant sensitive information was transferred to servers outside the state’s secure data system.

Individuals whose personal information was exposed had been contacted for the purpose of contact tracing between September 2020 and April 21, 2020. The exposed data included names, emails, phone numbers, ages, genders, COVID-19 diagnoses, and individuals’ exposure status. The Department of Health has confirmed that the contract with Insight Global expires at the end of July and will not be renewed.

The Department of Health is alleged to have been aware about the breach several months before any notification was issued. State Rep. Jason Ortitay said he was made aware of the breach on April 1, 2021 and contacted the state governor to voice concerns. The governor confirmed that the matter had been raised several months previously and the claims were found to be invalid.

Now a lawsuit has been filed in Federal court against Department of Health and Insight Global. The lawsuit alleges the 72,000 individuals whose information was exposed are now at risk of identity theft, fraud, and credit problems due to the exposure of their personal data.

The lead plaintiff, Lisa Chapman from New Kensington, initiated the legal action after discovering her information had been exposed. The lawsuit alleges both the Department of Health and Insight Global were negligent for failing to implement appropriate cybersecurity procedures and did not follow industry standards for protecting the private health information of individuals. The lawsuit alleges the state Department of Health was made aware of the breach as early as November 2020 yet did not take action over the breach until April and failed to notify individuals impacted by the breach until April 29, 2021.

The lawsuit alleges documents were put in the public domain where they could have been accessed by anyone. “These documents were widely available to the public through a Google search and did not require a password, log in, or any kind of authentication in order to be viewed,” according to the lawsuit. “Insight was aware that its employees were using unsecured data storage and communications methods as early as November 2020.”

The lawsuit seeks class action status, a jury trial, equitable relief, payment of credit monitoring and identity theft protection services for several years, reimbursement of legal costs, and for the Department of Health and Insight Global to implement appropriate security measures.

While information was transferred to unsecured services where it could potentially have been accessed by unauthorized individuals, the Department of Health and Insight Global are not aware of any cases of actual or attempted misuse of any personal and health information.

The post Pennsylvania Department of Health and Insight Global Sued over 72,000-Record Data Breach appeared first on HIPAA Journal.