On June 4, 2018, Connecticut Governor Dannel P. Malloy signed into law Public Act No. 18-90 “An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies” (P.A. 18-90). This bill makes several revisions to Connecticut laws concerning identity theft, most notably by newly prohibiting credit
Data Breach
Paper Records Still Problematic for Health Care Providers
Data breaches continue to be an issue for health care providers, as indicated when looking at breaches reported to the Office for Civil Rights (OCR), as required by HIPAA. In the first three months of 2018, there were 77 breaches of protected health information (PHI) reported to OCR, which included more than one million patient…
Former Employee of SunTrust Lifts 1.5 million Customers’ Information
SunTrust Banks Inc. (SunTrust) recently notified 1.5 million customers that information, including their names, addresses, telephone numbers, and account balances, was taken by a former employee.
Curiously, although SunTrust indicated that no customer Social Security numbers or driver’s license information were included in the information lifted by the former employee, it is offering free identity…
Blue Shield of California Notifies Insureds of Disclosure of PHI to Insurance Broker
According to a notification letter sent to an unknown number of patients, Blue Shield of California (Blue Shield), “shared” the protected health information of members with an insurance broker who was not supposed to receive it. Apparently a Blue Shield employee sent the information via an email to the broker during the 2018 Medicare Annual…
Busy Data Breach Week
Unfortunately, it was another busy data breach week. Here’s a summary of the major ones.
Delta Airlines admitted in a statement that the payment card data of several hundred thousand customers might have been compromised by malware between September 26 and October 12, 2017, through a third-party vendor ([24]7.ai that provides online chat services to…
South Dakota Beats Alabama in Passage of Data Breach Notification Law
We previously noted last month that only two states had not enacted a data breach notification law to date—South Dakota and Alabama [see related post].
South Dakota passed the finish line right before Alabama, but both states have now joined the rest of the nation in enacting data breach notification laws for their citizens. …
Improper Data Sharing With Cambridge Analytica May Affect 87 Million Facebook Users
Facebook reports that the personal data of 87 million Facebook users, mostly located in the United States, “may have been improperly shared” with British data analytics firm Cambridge Analytica. Previous estimates put the possible scope of improper sharing at about 50 million users. The increased number was calculated by Facebook by totaling the friends of…
Oregon Strengthens Data Breach Reporting Law
Oregon Governor Kate Brown recently signed a new data breach reporting law (S. 1551) that toughens the state’s existing requirements.
The new law requires companies to notify individuals within 45 days after a data breach has been discovered, unless a delay in notification is requested by law enforcement. It expands the definition of personal information…
Orbitz Confirms Breach of Travel Records and Credit Card Information of 880,000 Individuals
Orbitz, the travel booking entity that is owned by Expedia, has confirmed that it has “identified and remediated a data security incident affecting a legacy travel booking platform.” This means that one of its older websites that are used by customers to book their travel plans was hacked.
The statement says that Orbitz uncovered evidence…
Verizon Protected Health Information Data Breach Report Concludes that Insiders Are Greatest Threat to Health Care Entities
Verizon recently issued its Protected Health Information (PHI) Data Breach Report, which is always an interesting read. Not surprisingly, Verizon’s report concludes that based upon analysis of 1,360 security incidents involving the health care sector, 58 percent of the incidents were caused by insiders and 42 percent were caused by external threats.
Insider threats can…