Eskenazi Health in Indianapolis has been diverting emergency department patients arriving by ambulance to other area hospitals since it shut down its network following a ransomware attack on August 4, 2021. The diversion is “out of an abundance of caution and to maintain the safety and integrity of our patient care” according to a hospital statement.

The hospital stated that it did not appear at this time that any employee or patient data was affected by the attack, though the hospital is still evaluating the incident.

Nonetheless, the incident confirms that the healthcare industry continues to get bombarded with ransomware attacks, and the serious consequences to patient safety and care resulting from them.

At Belltown Hill Orchards in Glastonbury, Connecticut, a new vehicle is hitting the farm: unmanned aerial vehicles, or better known as drones. Drones are a new frontier for farmers who want to keep track of their crops and gather data on plant health. Using drones in this way will save farmers time; with drone technology, the entirety of Belltown Hill Orchards (about 150 acres) can be monitored and viewed in a couple of hours.

Nancy Marek, a Ph.D. student at the University of Connecticut, utilizes drones at Belltown Hill Orchards to collect aerial imagery of blueberry bushes. To test the accuracy of these images, she has also been taking physical samples of the leaves to measure the plants’ health. She also conducted similar operations over the Honeycrisp apple orchards. What makes these drone images even better than the human eye (in addition to the fact that the drone can more efficiently inspect the fields), is that it is equipped with special sensors that can look into parts of the spectrum that our eyes simply cannot. Using those infrared and other bands, the imagery captured by the drone can tell farmers the biophysical characteristics of the crop. However, again, to make sense of the drone imagery, researchers are also gathering samples from the crop to determine the plants’ overall health. These researchers gather about 100 leaves and determine what nutrients are in them; that data can be tied to the imagery to create a system for reading the imagery without the collection of the physical plant leaves (eventually).

If this research can lead to a model for farmers to identify issues with crops from the sky, it could reduce the cost of testing, crop loss, decreased yield and crop disease. The goal is for farmers to use drones to cut down human time and money.

To establish credibility for their new criminal marketplace, cyber criminals have posted details on over 1,000,000 credit cards, stolen between 2018 and 2019, including card number, CVV number, name and address on the dark web to try to entice purchasers of the information. The information was posted on AllWord.Cards. According to researchers at Cyble, more than 83,000 of the cards originated from the U.S.

The researchers at Cyble have estimated that over 20 percent of the credit cards are still valid. Therefore, consumers are urged to check their bank statements carefully for unknown transactions and contact their bank as soon as possible if there is any suspicious activity.

In an unusual but significant move, on August 4, 2021, the Federal Trade Commission (FTC) removed Aristotle International from the Children’s Online Privacy Protection Act (COPPA) Safe Harbor List. There were 7 organizations on the list, which were approved by the FTC to self-regulate themselves under COPPA, but with this first removal by the FTC, there are now 6. In general, COPPA requires that parental consent be given prior to the collection or use of personal information of children under the age of 13.

In order to be included on the Safe Harbor list, the organizations were required to certify compliance with the FTC’s COPPA Rule. This included developing “guidelines that provide the same or greater protections for children as the COPPA Rule. They also must have an effective and mandatory mechanism in place to conduct independent assessments of member organizations’ compliance with the program guidelines.” Aristotle was approved by the FTC to operate a COPPA Safe Harbor program in 2012.

According to the FTC’s press release, the removal from the Safe Harbor list means that “Operators of websites and online services that paid Aristotle fees to participate in its self-regulatory program can no longer receive favorable regulatory treatment.”

The FTC initially contacted Aristotle with concerns about its compliance with COPPA and its oversight its members’ compliance. According to the FTC, “The FTC will no longer allow self-regulatory organizations to flout their obligations under Children’s Online Privacy Protection Act rules. Aristotle will no longer be recognized by the FTC as an approved Safe Harbor program. There is a clear conflict of interest when self-regulatory organizations are funded by the website operators and app developers they are supposed to police, so we will be closely scrutinizing other children’s privacy oversight outfits to determine whether they are living up to their obligations.

The collection and use of children’s information while they are online continues to be a hot-button issue for privacy advocates. It is clearly a regulatory enforcement priority for the FTC as well, so reviewing COPPA compliance in the wake of this announcement may be prudent.

A fertility clinic in California cannot escape a lawsuit brought by a patient after the clinic sent private information to the individual’s entire work team.

The clinic, Lane Fertility Institute for Education and Research (Lane), emailed a client regarding an embryo transfer procedure she had undergone the prior year, seeking information about her resulting pregnancy. Apparently, the request was made for the purpose of collecting data for the clinic’s annual report to the Centers for Disease Control as mandated by federal law and required for the clinic to keep its certification. The email was sent to the patient’s work email address, although she had specifically designated a private email address as her preferred method of contact.

After sending the email, Lane received an automatic response that the individual was out of the office on maternity leave and instructing senders to contact the client’s work team for immediate assistance. Lane did just that, emailing the data request—which contained personal and sensitive medical information—to the patient’s entire work team of nine people. The group emails were monitored by the employer’s security, privacy, and practices teams, so other employees also may have seen the email.

The client, proceeding anonymously, sued the clinic and one of its physicians, alleging violations of California’s Consumer Legal Remedies Act, the Confidentiality of Medical Information Act, negligence, and various other claims. Lane moved to strike the complaint, arguing that its challenged actions arose from an activity protected by a specific state statute and that the lawsuit was primarily intended to chill its right to free speech in connection with a public issue. A public issue for purposes of the statute includes written or oral statements made in connection with an issue under consideration or review as part of an official proceeding, and Lane argued that the data report to the CDC fell within that definition.

The trial court denied Lane’s motion on the grounds that Lane had not shown there was any current or anticipated official proceeding to which the email was connected in any way. The fact that Lane was engaging in an activity to comply with the law did not transform the conduct into an official proceeding. Lane appealed, but the ruling was affirmed. The case is Doe v. Lane Fertility Institute for Education and Research, Inc., Super. Ct. No. CIV 2002299 (Marin County, CA), on appeal, No. A162094 (1st App. Dist., July 29, 2021).

According to The Record, Electronic Arts Sports (EA) was the victim of a cyber hacking in June, when hackers posted on an underground hacking forum that they were in possession of EA data seeking a sale price of $28 million. The hackers were reportedly able to access EA’s system after purchasing tools that allowed authentication into an internal Slack communication thread from a dark web marketplace and mimicking a legitimate employee user’s account.

The hackers were then able to download a large amount of source code from the company with the hope of selling it for big money. Unfortunately, they were unable to find a buyer, so they went back to EA asking for payment to prevent the data from being leaked publicly. The hackers released part of the cache of data to prove they had it and to put pressure on EA, allegedly including the source code for the FIFA 21 soccer game.

It has been reported that EA refused to pay the extortion amount, so the entire data set has been leaked online. EA has confirmed that no player data was involved and that it is actively assisting law enforcement with the investigation into the incident.

The incident illustrates how a legitimate internal communication tool can be used against a company through new tools purchased online that leverage employees’ passwords and the ability for hackers to escalate authentication protocols. It is important for employees to refrain from using passwords across different platforms since they are stolen and purchased online to use for nefarious purposes.

The bi-partisan infrastructure bill presently being debated in the U.S. Senate includes up to $1 billion in funding to state and local governments to enhance cybersecurity measures over four years.

The proposed funding would create a grant program to benefit state and local cybersecurity programs, which would be administered by the Federal Emergency Management Agency with in-put from the Cybersecurity and Infrastructure Security Agency. In order to receive the grant funding, programs will have to submit a plan to CISA on how the grant funding will be used to bolster the cybersecurity program.

The bill would also earmark up to $21 million in funding for the newly created Office of the National Cyber Director in the Executive Office of the President.

The Miami International Airport (MIA) was selected by the U.S. Transportation Security Administration (TSA) this week as a test site for new drone detection technology. The new technology includes detect, track, and identify (DTI) equipment which will be used to identify unauthorized drones that enter restricted airspace. The airport was chosen as a test site for this technology in part because there is already a “perimeter protection pilot” program being tested there. The TSA said that the perimeter protection system and DTI technology are designed to protect the airport from both ground and aerial intrusion.

The perimeter protection system includes thermal sensors, 360-degree cameras, and infrared illuminators, while the DTI equipment allows the airport to gather information about the height, altitude, direction, speed, type, and operator of any unidentified crafts. Captain Jim Bamberger, TSA’s Counter-UAS Capability Manager, said that the focus of the DTI equipment will be to identify “non-compliant [drone] operator[s], the criminal operator, or the careless operator” so as to prevent these types of operators from unauthorized entry. It is anticipated that the DTI equipment will be updated every two to three months to accommodate changing technology and threats.

All of the information gathered by this DTI equipment will be available to airport authorities via a tablet system. The hope is that technology like this being tested at MIA can be used to benefit and protect airports across the country.

As we work through the second half of 2021, not quite out of the pandemic, still working remotely sometimes or all the time, data privacy and security concerns are more important today than ever before.

The changing landscape of technology, the increased sophistication of organized crime using digital tools, and the continued lack of awareness of data privacy and security concerns are making 2021 more hazardous than previous years.

In that context, I ran across a useful and easy to understand article yesterday about the top privacy concerns in 2021 that I thought was worthwhile to share. The World Beast published Addressing The Digital Privacy Concerns in 2021 on August 3, 2021.

The article addresses some of my top privacy concerns in a user-friendly way, and I encourage you to take a look if you are interested. If you are concerned about the conclusions, take mitigation steps to protect your privacy. It takes time, but staying on top of how you are tracked and how your information is used is the first step in protecting yourself.

If you are an organization that uses Microsoft Office 365 as your email platform, be on the lookout for a new tricky phishing attack recently used by cyber criminals. Microsoft has issued an alert to its customers warning them of the new attack, which merits mention to your users.

The phishing scheme is designed to use convincing emails, a legitimate looking SharePoint site, and “a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.”

According to the alert, “The original sender addresses contain variations of the word ‘referral’ and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting.”

The emails reportedly try to get users to believe they are being asked to join a secure SharePoint site by using SharePoint in the display name and poses as a site for bonuses, staff reports or other links that curious users may be duped into opening, which then navigates to the phishing page without the user’s knowledge.

Microsoft continues to urge O365 users to implement multi-factor authentication on all accounts. User education continues to be an important tool to combat successful phishing campaigns, and keeping users informed of the newest scams gives them the ability to protect company data.