BleepingComputer has confirmed the rumor that Oracle has suffered a compromise affecting its legacy environment, including the compromise of old customer credentials (originally denied by Oracle). Oracle notified some affected clients that old legacy data from Oracle Classic (last used in 2017) was involved in the incident. BleepingComputer has reportedly had direct contact with the threat actor, which has “shared data with BleepingComputer from the end of 2024” and posted newer records from 2025 on a hacking forum.

The incident was discovered in late February. According to BleepingComputer, “the attacker allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.” The threat actor offered over six million data records for sale on BreachForums on March 20, 2025, alleging the data originated from the Oracle incident.

On April 16, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released guidance on the “potential legacy Oracle Cloud compromise.” The guidance confirms that the incident’s scope and impact are uncertain but provides information about the risks associated with compromised credentials.

The Alert states:

The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risks to enterprise environments. Threat actors routinely harvest and weaponize such credentials to:

  • Escalate privileges and move laterally within networks.
  • Access cloud and identity management systems.
  • Conduct phishing, credential-based, or business email compromise (BEC) campaigns. 
  • Resell or exchange access to stolen credentials on criminal marketplaces.
  • Enrich stolen data with prior breach information for resale and/or targeted intrusion.

The Alert provides recommendations to organizations “to reduce the risks associated with potential credential compromise.” The recommendations are solid for any credential compromise but particularly relevant to Oracle customers. 

We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its HIPAA Security Rule and indemnification obligations under the HIPAA Business Associate Agreement (BAA) between the parties.

Complaint Background

According to the complaint, the laboratory – Molecular Testing Labs (MTL) – is a Covered Entity under HIPAA, and Ntirety is its Business Associate. Reportedly, the parties entered into a BAA in September 2018. The BAA’s intent was to “ensure that [Ntirety] will establish and implement appropriate safeguards” for protected health information (PHI) it handles in connection to the functions it performs on behalf of MTL. The complaint points to various provisions of the BAA related to Ntirety’s obligations, including complying with the HIPAA Security Rule. According to MTL, the BAA also includes an indemnification provision that requires Ntirety to indemnify, defend, and hold harmless MTL against losses and expenses due to a breach caused by Ntirety’s negligence.

Alleged HIPAA Violations

MTL asserts that around March 12, 2025, it received information about a material data breach involving data “that was required to have been secured by Ntirety under the BAA.” The complaint is unclear about how or from whom MTL received that information.

The complaint asserts that MTL’s forensic investigation determined that Ntirety had faced a ransomware attack, potentially from Russian threat actors. MTL’s forensic investigation determined that Ntirety had “significant deficiencies, shortcomings, and omissions” in its procedures and practices that enabled the threat actors to access Ntirety’s computer systems and MTL’s confidential information.

In addition, MTL alleges that “Ntirety failed to provide material support to MTL for weeks” and that the support offered was conducted “slowly and incompetently.” Allegedly, Ntirety informed MTL that it would charge MTL for such efforts. MTL argues that under its BAA obligations, Ntirety was required to support MTL in its efforts to respond to and mitigate the security incident’s harmful effects.

Alleged Breach of Contract – Indemnification Demand

MTL also asserts that it has incurred or expects to incur various damages related to “remediation efforts, HIPAA notification requirements, possible legal and regulatory actions, and direct and indirect harm to MTL’s business.” Specifically, MTL claims it has already incurred damages related to the forensic investigation and anticipates further damages associated with fulfilling HIPAA PHI breach notifications and providing credit monitoring services. MTL also expects to suffer harm to its business as a result of the breach and to be subject to lawsuits and regulatory action.

Reportedly, on March 25, 2025, and April 3, 2025, MTL sent formal demands to Ntirety for indemnification under the BAA for losses incurred as a result of the breach, but Ntirety “has provided no substantive response to MTL’s indemnification demands.”

Lessons Learned

After discovering a breach, companies have numerous obligations, such as determining whether data has been corrupted, containing the incident, conducting a forensic investigation, and identifying individuals whose data may have been involved. It can often take weeks or even months to understand the scope and extent of a breach, but companies should also promptly assess their contractual obligations post-breach. Whether in a BAA or another service agreement, companies may be required to let their vendors and other partners know about an incident.

In addition, companies should consider whether to communicate about the incident at a high level to their vendors and partners, even absent contractual requirements, particularly if news about the incident has already leaked. The risk of such communications includes potentially providing premature information that is likely to change as the forensic investigation unfolds. On the flip side, partners might appreciate the transparency and direct acknowledgment. There can be many legal and regulatory consequences of a data breach, but with adherence to contractual obligations and appropriate communication, a breach of contract claim doesn’t have to be one of them.

The Office for Civil Rights (OCR) announced on April 10, 2025, that it has settled alleged HIPAA Security Rule violations with Northeast Radiology for $350,000.

The investigation followed a breach report by Northeast Radiology to OCR in March 2020 after unauthorized individuals accessed radiology images stored in PAC servers. Northeast Radiology notified 298,532 patients of the breach. The OCR alleges that, during the investigation, Northeast Radiology “failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.”

Northeast Radiology agreed to enter into a resolution agreement with OCR that included a settlement payment of $350,000 and a supervised corrective action plan for two years.

Video game developer Ubisoft, Inc. came out on top earlier this month in the Northern District of California when a judge dismissed, with prejudice, a class action claiming that the company’s use of third-party website pixels violated privacy laws. The judge concluded that the “issue of consent defeat[ed] all of Plaintiffs’ claims.” Lakes v. Ubisoft, Inc., No. 24-cv-06943, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).

The plaintiffs alleged that Ubisoft collected and disclosed plaintiffs’ personal information and website usage without their consent through website pixels. Ubisoft moved to dismiss the claims based on the fact that the plaintiffs’ claims relied on the lack of consent but that plaintiffs had “consented to the use of cookies and pixels . . . at least three times during the purchase process” when plaintiffs (1) “interacted with the Cookies Banner” when visiting the website; (2) created accounts on the website, which required the plaintiffs to “accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy”; and (3) “made purchases” at which point Ubisoft’s terms and Privacy Policy were displayed again.

The court took judicial notice of Ubisoft’s Privacy Policy, cookie pop-up, and cookie settings and held that the plaintiffs’ consent defeated their claims:

  • Federal Wiretap Act: The federal Wiretap Act allows for the interception of communications where “one of the parties to the communication has given prior consent to such interception,” and the interception is not “for the purpose of committing any criminal or tortious act.” The court determined that the plaintiffs provided consent and that the crime-tort exception to consent did not apply.
  • California Invasion of Privacy Act, California Constitution, and Common-Law Invasion of Privacy: The court held that the plaintiffs’ consent was a “defense to all three claims” under CIPA, the California Constitution, and California common law invasion of privacy.
  • Video Privacy Protection Act: The court determined that Ubisoft’s disclosures in its Privacy Policy, terms, and on its website through banners and pop-ups satisfied each element of the VPPA’s consent provision. 

The plaintiffs sought a request for leave to amend, but the court denied the request, concluding that any amendment would be “futile” because plaintiffs could not “amend their complaint to overcome the issue of consent.” 

A key takeaway for companies to consider is to revamp your website Privacy Policy disclosures, confirm that your website’s cookie preferences and banner are visible and user-friendly, and clearly articulate the use of third-party trackers and the data disclosed to your website users.

In a big win for businesses, a California federal court just held that a “tester” plaintiff—someone who visits websites to initiate litigation—cannot bring a claim under the California Invasion of Privacy Act (CIPA). Rodriguez v. Autotrader.com, Inc., No. 2:24-cv-08735, 2025 WL 65409 (C.D. Cal. 1.8.25). Tester plaintiffs have started to focus on consumer protection statutes in hopes of broadening CIPA’s application to include internet communications, which would provide them a treasure trove of potential targets. However, the recent decision in Rodriguez provides a defense for businesses facing lawsuits by tester plaintiffs and bolsters another unrelated defense: setting privacy expectations with consumers.

I previously wrote about CIPA claims and the uptick in litigation claiming wiretap violations based on a website’s use of trackers.

Here, the plaintiff alleged violations of CIPA by Autotrader.com for its:

  • Operation of a pen register on its website using tracking technology that could collect a user’s IP address
  • Disclosure of website search terms to third parties (akin to illegal wiretapping)

The court dismissed these claims, stating that a tester plaintiff who “actively seeks out privacy violations” does not expect privacy. Because a tester plaintiff in a CIPA case visits the website and intentionally enters information into the website expecting their information to be “accessed, recorded, and disclosed,” the individual cannot claim an injury. The tester essentially expects the injury to occur.

What should your business do as a result of this decision? Be prepared and consider:

  • Reviewing your website and its Privacy Policy and Terms of Use;
    • Evaluate the types of tracking tools your website uses and their necessity/value (e.g., pixels, web beacons, cookies, etc.). Often, businesses discover that the website cookies and pixels are actually just left over from past initiatives or that certain cookies were installed but never used.
    • Consider using a scanning tool and analyze the scan results to  learn what tracking technologies your website uses.
  • Determining what third parties do with the data collected via your website tracking tools;
  • Include appropriate disclosures in your Privacy Policy and cookie banner/preferences (e.g., to whom is the data disclosed, the use of the data, and a hyperlink to the Privacy Policy in the cookie banner).
    • For example, cookie banners should state that data is disclosed to third parties for targeted ad purposes, if that is the case, instead of only stating that the website uses cookies to improve user experience.
  • Providing an opt-out option (and symmetry of choice)
  • While opt-in consent is not required by applicable consumer privacy laws (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act), allowing users to make informed choices about website tracking could prevent CIPA claims against your business.

SentinelOne researchers have discovered AkiraBot, which is used to target small- to medium-sized company websites with generative AI, and drafted outreach messages for website chats, comments, and contact forms. SentinelOne estimates that over 400,000 websites have been targeted, and the bot has successfully spammed “at least 80,000 websites since September 2024.”

The bot generated custom outreach messages to targets using OpenAI’s large language models (LLM) based on the purpose of the website and bypassed spam filters and CAPTCHA barriers to spam websites. OpenAI has since disabled the API key and other assets used in the campaign.

The SentinelOne researchers posited that “AkiraBot’s use of LLM-generated spam message content demonstrates the emerging challenges that AI poses to defending websites against spam attacks.”

As threat actors continue to evade detection, their generative AI usage will pose an ever-increasing challenge for protecting websites and filtering spam from email accounts.

I have been getting a lot of texts that are clearly scams, and those around me have confirmed an increase in spammy texts.

According to an FTC Consumer Protection Data Spotlight, individuals lost over $470 million resulting from text scams. The top text scams of 2024 that accounted for half of the $470 million lost by consumers to fake texts included:

  1. Fake package delivery problems;
  2. Phony job opportunities;
  3. Fake fraud alerts;
  4. Bogus notices about unpaid tolls; and
  5. “Wrong number” texts that aren’t.

According to the FTC, actionable ways to help stop text scams include:

  • Forwarding messages to 7726 (SPAM). This helps your wireless provider spot and block similar messages.
  • Reporting it on either the Apple iMessages app for iPhone users or Google Messages app for Android users.
  • Reporting it to the FTC at ReportFraud.ftc.gov.

How can you avoid text scams?

Never click on links or respond to unexpected texts. If you think it might be legit, contact the company using a phone number or website you know is legitimate. Don’t use the information in the text message. Filter unwanted texts before they reach you.

Remember that texts are just like emails and can be used for smishing instead of phishing. Treat them the same—with a healthy bout of caution and vigilance to avoid being victimized.

WhatsApp users should update the application for vulnerability CVE-2025-30401, which Meta recently patched when WhatsApp was released for Windows version 2.2450.6.

Meta cautions Windows users to update to the latest version due to the vulnerability that it is calling a “spoofing” issue that could allow attackers to execute malicious code on devices. The attackers exploit the vulnerability by sending maliciously crafted files with altered file types to users that “cause the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.”

If you haven’t updated your WhatsApp application, now’s the time.

On March 31, 2025, President Trump signed an executive order (EO 14254) titled “Combating Unfair Practices in the Live Entertainment Market.” EO 14254 directs the Federal Trade Commission (FTC) to, amongst other provisions, rigorously enforce the Better Online Ticket Sales Act (BOTS Act or the Act) and address unfair ticket scalping practices.

Overview of the BOTS Act

Enacted in 2016, the BOTS Act aims to prevent ticket brokers from buying large numbers of event tickets and reselling them at inflated prices. The Act applies to tickets for public concerts, theater performances, sporting events, and similar activities at venues that seat over 200 and prohibits an entity from circumventing access controls or security measures used by online ticket sellers (such as Ticketmaster) to enforce ticket-purchasing limits. It also prevents the resale of tickets obtained by knowingly circumventing access controls. Violations of the Act are considered violations of Section 5 of the FTC Act, which prohibits unfair or deceptive practices. Violators are subject to fines of up to $53,088 per violation.

Under the Act, the circumvention of access controls or security measures is construed broadly and applies to automated ticket bots and certain human actions. A ticket bot is a software program designed to rapidly purchase large quantities of tickets the moment they become available. Scalper bots specifically automate tasks like filling out forms, refreshing web pages, and completing the checkout process. Since scalper bots can complete the checkout process much faster than human users, they can buy thousands of limited-edition tickets as soon as they go on sale. Scalped tickets are then resold for higher profit because they are no longer available from the original ticket seller – this practice is known as ticket scalping.

Sellers often set limits on the number of tickets each buyer can purchase. Bots can bypass this limit by rapidly purchasing tickets across multiple accounts or using fake online profiles and IP addresses. Bots may bypass CAPTCHA and other security measures or manage multiple browser sessions simultaneously to purchase large volumes of tickets simultaneously. These tactics may run afoul of the BOTS Act if the seller has access controls or security measures to prevent such activity. The BOTS Act is not only limited to bot activity, though. A person who buys tickets by creating multiple accounts or using proxies and VPNs to disguise their IP address may also be circumventing a seller’s security measures, which may also violate the Act.

Enforcement Action Under the BOTS Act

In January 2021, the FTC filed complaints against three ticket brokers for allegedly using bots to buy tens of thousands of event tickets and then resell them at inflated prices. The FTC alleged that the defendants violated the Act in multiple ways, including using bots to search for and automatically reserve tickets, using software to conceal their IP addresses, and using bots to bypass CAPTCHA security measures. The complaint also alleged that the defendants had created hundreds of Ticketmaster accounts in the names of friends, family, and fictitious individuals and used hundreds of credit cards to bypass ticket limits. In total, the brokers were subject to a judgment of over $31 million, but due to their inability to pay, they were ultimately liable for $3.7 million in civil penalties.

The BOTS Act also empowers state attorneys general to enforce the Act if they determine that their states’ residents have been threatened or adversely affected by violations of the Act. Though there has been little notable state enforcement action to date, senators from both political parties have introduced bills to enable stronger enforcement of the Act. For instance, in May 2024, the Democratic governor of Arizona, Katie Hobbs, signed and passed a state law often referred to as the “Taylor Swift bill” to authorize the state’s attorney general to investigate unlawful uses of bots to purchase multiple event tickets or circumvent waiting periods and presale codes.

Looking Forward

The executive order instructs the FTC to “rigorously enforce” the BOTS Act and to provide state attorneys general and consumer protection officers with information and evidence to further this directive. The EO also directs the FTC to take additional actions, such as proposing regulations and enforcing against unfair methods of competition and unfair or deceptive acts and practices.

EO 14254 follows on the heels of a December 2024 FTC Rule – the Junk Fees Rule – banning junk ticket and hotel fees, which goes into effect on May 10, 2025. Under the Junk Fees Rule, businesses must clearly and conspicuously disclose the total price, including all mandatory fees, whenever they offer, display, or advertise any price of live-event tickets or short-term lodging. According to the FTC, the Junk Fees Rule enables the agency to “rigorously pursue” bait-and-switch pricing tactics, such as drip pricing and misleading fees.

Following the release of EO 14254 on April 8, 2025, two members of Congress, Diana Harshbarger (R-TN) and Troy Carter (D-LA) co-sponsored a bill in the House titled the “Mitigating Automated Internet Networks for [MAIN] Event Ticketing Act.” This bill is a companion bill to the one initially introduced in the Senate by Marsha Blackburn (R-TN) and Ben Ray Luján (D-NM). The bill would create reporting requirements for online ticket sellers to report successful bot attacks to the FTC. The proposed legislation would also create a complaint database for consumers to share their experiences with the FTC, who would, in turn, be required to share the information with state attorneys general. According to Congresswoman Harshbarger’s press release, the legislation aims to build on the BOTS Act and codify EO 14254. There is strong bipartisan support for live-event industry regulation. In light of EO 14254, the FTC’s Junk Fee Rule, and the MAIN Event Ticketing Act introduction, it is safe to say that both state and federal authorities are focused on regulating the live entertainment industry, particularly in the ticket sale context. BOTS Act enforcement may increase in the coming years, and ticket scalpers should beware.

Yahoo’s ConnectID is a cookieless identity solution that allows advertisers and publishers to personalize, measure, and perform ad campaigns by leveraging first-party data and 1-to-1 consumer relationships. ConnectID uses consumer email addresses (instead of third-party tracking cookies) to produce and monetize consumer data. A lawsuit filed in the U.S. District Court for the Southern District of New York says that this use and monetization is occurring without consumer consent. The complaint alleges that ConnectID allows user-level tracking across websites by utilizing the individual’s email address—i.e., ConnectID tracks the users via their email addresses without consent. The complaint further alleges that this tracking allows Yahoo to create consumer profiles with its “existing analytics, advertising, and AI products” and to collect user information even if a user isn’t a subscriber to a Yahoo product.

The complaint states, “Yahoo openly tells publishers that they need not concern themselves with obtaining user consent because it already provides ‘multiple mechanisms’ for users to manage their privacy choices. This is misleading at best.” Further, the complaint alleges that Yahoo’s Privacy Policy “makes no mention of sharing directly identifiable email addresses and, in fact, represents that email addresses will not be shared.”

The named plaintiff seeks to certify a nationwide class of all individuals with a ConnectID and whose web communications have been intercepted by Yahoo. The plaintiff asserts this class will be “well over a million individuals.” The complaint seeks relief under the New York unfair and deceptive business practices law, the California Invasion of Privacy Act, and the Federal Computer Data Access and Fraud Act.

These “wiretap” violation lawsuits are popping up all across the country. The lawsuits allege violations of state and federal wiretap statutes, often focusing on website technologies like session replay, chatbots, and pixel tracking, arguing that these trackers (and here, the tracking of email addresses) allow for unauthorized interception of communications. For more information on these predatory lawsuits, check out our recent blog post, here.

The lawsuit seeks statutory, actual, compensatory, punitive, nominal, and other damages, as well as restitution, disgorgement, injunctive relief, and attorneys’ fees. Now is the time to assess your website and the tracking technologies it uses to avoid these types of claims.