Clinical Test Data of 2.5 Million Individuals Stolen in Enzo-Biochem Ransomware Attack

Posted by Steve Alder

The Farmingdale, NY-based biotech and diagnostics company, Enzo Biochem, has recently confirmed in an 8-K filing with the Securities and Exchange Commission that the clinical test information of 2.470,000 patients was compromised in an April 6, 2023, ransomware attack. Enzo Biochem said prompt action was taken to contain the attack when the breach was detected, and while the incident caused disruption to business operations, all of its facilities continued to provide services to patients and partners.

Enzo Biochem provides treatments for cancer, metabolic, and infectious diseases as well as testing services for a variety of transmissible diseases such as COVID-19 and STDs. On April 11, 2023, Enzo Biochem determined that data related to the provision of those services was accessed, and in some cases exfiltrated, from its systems. The stolen data included names, test information, and for approximately 600,000 individuals, Social Security numbers.  Enzo Biochem is still investigating to determine if employee information was also compromised.

Enzo Biochem said it has incurred and may continue to incur expenses related to the incident and is in the process of evaluating the full financial impact of the ransomware attack. Enzo Biochem has confirmed that affected individuals will be notified by mail if their information has been deleted and the incident will be reported to appropriate regulatory authorities.

Medford Radiology Group Investigating Memorial Day Weekend Cyberattack

Medford Radiology Group in Oregon is recovering from a cyberattack that occurred over the Memorial Day weekend. The attack occurred in the early hours of Friday morning and prevented access to medical images. The attack is still being investigated to determine the nature and scope of the breach and the extent to which patient data may have been compromised.  Medford Radiology Group said this was a “significant cybersecurity incident.

Third-party cybersecurity experts are investigating the breach and are assisting with the response and all available resources are being used to ensure radiology services and patient care continues to be provided. While the investigation is still in the early stages, Medford Radiology believes the incident was limited to its internal systems and its outside partners have not been affected.

The post Clinical Test Data of 2.5 Million Individuals Stolen in Enzo-Biochem Ransomware Attack appeared first on HIPAA Journal.

Amazon & FTC Agree $25 Million Settlement to Resolve Alleged FTC Act and COPPA Violations

Posted by Steve Alder

The Federal Trade Commission (FTC) has agreed to settle a complaint against Amazon that alleged violations of the FTC Act, the Children’s Online Privacy Protection Act (COPPA), and the FTC’s Children’s Online Privacy Protection Rule with respect to its Alexa voice assistant products. According to the complaint, the retail giant misrepresented that it would delete voice transcripts and geolocation information of users upon request, limit employee access to Alexa users’ voice assistant data, and delete the personal information of children as requested by their parents. The FTC also alleged Alazon was retaining the personal information of children for longer than was reasonably necessary to satisfy the purpose for which the information was collected.

According to the FTC complaint, the default settings of the Alexa voice assistant stored voice recordings and transcripts indefinitely, including those of children, even when profiles were no longer used and had been inactive for years. Prior to the middle of 2019, Amazon claimed it would delete written transcriptions of interactions between children and Alexa in response to deletion requests by parents yet failed to do so, and for 13 months until September 2019, Amazon is alleged to have made Alexa recordings available to 30,000 employees, even though around half of those employees did not require access to the recordings for any business purpose. In addition, from January 2018 to early 2022, the geolocation data of Alexa app users in secondary locations was retained and was not deleted per data deletion requests.

Amazon did not agree with the FTC’s claims and maintains it has very strong privacy protections in place; however, chose to settle the complaint with the FTC with no admission of wrongdoing. The settlement, which has yet to be approved by a federal judge, will see Amazon pay a financial penalty of $25 million to resolve the complaint and implement a number of measures to ensure the privacy of children and other Alexa users.

Those measures include a commitment to delete the personal information of children when child profiles have been inactive for 90 days unless a request is received from the child’s parent or legal guardian to retain that information, or if the account becomes active again within that 90-day period. Amazon will ensure that when data deletion requests are received, all geolocation information and voice information will be fully deleted from the Alexa App, that all personal information collected from a child will be deleted in response to a request from the child’s parent, and that after processing the deletion of geolocation information, voice information and children’s personal information from the app will not subsequently be used for the creation or improvement of any data product.

Amazon is also required to clearly and conspicuously notify users about why geolocation information is collected and used, inform them about how they can request their data be deleted, and Amazon must establish, implement, and maintain a privacy program to protect the privacy of Alexa App geolocation information. The order also prohibits Amazon from making misrepresentations about the privacy of geolocation and voice information.

The post Amazon & FTC Agree $25 Million Settlement to Resolve Alleged FTC Act and COPPA Violations appeared first on HIPAA Journal.