In the U.S. District Court for the Central District of California last week, SuperCare Health, Inc. was hit with another proposed class action based on a data breach that allegedly compromised the personal and health information of over 300,000 current and former patients. SuperCare Health is a respiratory-care provider.

Lead plaintiff, Hamid Shalviri, alleges that SuperCare failed to safeguard patients’ personal and health information, leading to the compromise of patient names, addresses, dates of birth, health insurance, and medical records. Shalviri also alleges that Supercare failed to notify the affected patients for eight months after the breach occurred.

The suit includes allegations of negligence, breach of implied contract, invasion of privacy, and violations of the California Confidentiality of Medical Information Act. The complaint further alleges that the affected patients have suffered anxiety and loss of time and now face a substantial risk of fraud and identity theft due to this data breach.

In addition to Shalviri’s lawsuit, Vickey Angulo sued SuperCare over this data breach in the same court (filed April 13, 2022), and Marina Cardenas and Susie Frazier-Telles filed a similar suit in the U.S. District Court for the District of Nevada (filed April 11, 2022).

Shalviri seeks actual damages, statutory damages, and attorneys’ fees and costs.

As we have pointed out before, it is cumbersome yet critical, to patch vulnerabilities on a timely basis. Cyber-attackers move swiftly to take advantage of known vulnerabilities and are aware of the challenges organizations have in closing those doors.

The Cybersecurity and Infrastructure Security Agency (CISA), along with its counterparts in other countries, issued a Joint Cybersecurity Advisory on April 27, 2022, outlining the most “routinely exploited vulnerabilities” in 2021, and urging companies to review those vulnerabilities and take action to patch them as soon as possible.

Key findings in the Alert include:

Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.

The Alert cautions organizations about how malicious actors continue to use older vulnerabilities, which “demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.”

The Alert provides organizations with a list of the top 15 routinely exploited vulnerabilities in 2021 and mitigation guidance to address the continued risk the vulnerabilities pose.

It is worth taking the time to review the details of the vulnerabilities and confirm that appropriate mitigation steps have been taken. This is free information designed to assist organizations with their cybersecurity posture and is not a heavy lift to potentially dramatically reduce a known risk.

I traveled this week by plane to a client to conduct a cybersecurity tabletop exercise—one of my favorite things to do (the tabletop, not the flying).

To be able to use the wi-fi, everyone instructed in the gate area was told over the loudspeaker that we had to download the airline app on our phones, and that if we wanted to purchase anything during the flight, we had to input our credit card numbers into the app.

I am sure everyone can visualize my dismay at this announcement. Since I need to work, I unhappily downloaded the app so I could use the wi-fi. I did NOT put my credit card number into the app.

On the return flight (late at night), passengers across the aisle from me wanted a cocktail, but since they didn’t download the app, they were relegated to soft drinks. Needless to say, they were bummed at their circumstance.

When I landed, I deleted the app. I no longer needed it. When you download these apps, it is important to read what they are doing with your information. This app requested my location, wanted to track me, and a number of pop-ups sought my permission to do so; I rejected all of them.

Consider limiting the information you share with apps that you use infrequently and consider deleting single use apps when you no longer need them. If you are not using them, they still may be tracking you for months until you use them again. It is very easy to download them again when you need to use them in the future.

The cybersecurity authorities of the United States (including CISA, FBI, NSA and DOE), Australia, Canada, New Zealand, and the United Kingdom released a joint Cybersecurity Advisory (CSA) on April 20, 2022, “to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity.”

According to the CSA, “Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks” and “some cybercrime groups have recently publicly pledged support for the Russian government,”  “threaten[ing] to conduct cyber operations against countries and organizations providing materiel support to Ukraine.”

In particular, the CSA warns critical infrastructure operators “to prepare for and mitigate potential cyber threats” and “by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity.”

Tips to prepare for and mitigate against cyber-attacks include:

  • Patch all systems. Prioritize patching known exploited vulnerabilities.
  • Enforce multifactor authentication.
  • Secure and monitor Remote Desktop Protocol and other risky services.
  • Provide end-user awareness and training.

As the sanctions against Russia escalate, companies may wish to follow multi-national warnings of intelligence agencies.

Kentucky Governor Andy Beshear recently signed House Bill 474 to become the latest state to enact data insurance security legislation. The new law is modeled after the data security law of the National Association of  Insurance Commissioners (NAIC). Licensees with more than 50 employees who are authorized to operate, or are registered under the insurance laws of Kentucky, must comply with the new law. The law requires that licensees comply with data security provisions such as developing a written information security program, investigating and reporting cybersecurity events to the insurance commissioner within three days, and conducting risk assessments.

Although the law takes effect on January 1, 2023, licensees will have one year from its effective date of the law to implement many provisions of the law, including performing the risk assessment, establishing the written information security program, and designating an individual or vendor who is responsible for the information security program. The law also states the licensees have two years to design and implement a full information security program.

We previously wrote about the NAIC Model Law when Maine and North Dakota enacted similar laws. Our latest count is that now 21 states have enacted similar laws, some with slight variations as to notification periods, timelines, or definitions.

Unscrupulous criminals use crises to their advantage. Scammers are using the conflict in Ukraine to bilk money from people trying to help those impacted from the attacks. There are numerous accounts of scammers using old techniques to defraud people from funds and personal information.

We all want to help and what is unfolding in Ukraine is tragic. Fraudsters prey on our wishes to aid those in need and know that we are vulnerable to attack because of the emotional toll the war in Ukraine is taking on the world, but particularly the Ukrainians.

If you wish to support Ukraine, do so. But be wary of where you are sending your money. There are many wonderful and legitimate charities that are working hard to assist those in need. But there are others who are using our emotions to help others to steal from us. Be wary of unsolicited requests for donations through email or text. Research the charity to which you are sending your money and make sure you are on the charity’s official website. Be cautious about clicking on any links that are sent to you via text or email. If you are solicited by a well-known charity, take the time to donate directly through their official website and not through unsolicited emails.

The Ukrainians need all the resources and support they can get, so send your charitable donations to a charity that will actually get the funds to them.

According to CNBC, here is a list of top-rated charities for Ukrainian relief.

In an action against what has been described as one of the largest hacker forums in the world, the U.S. Department of Justice (DOJ) announced on  April 12, 2022, that it has taken down RaidForums’ website and arrested its founder/administrator. According to DOJ, the domains seized were “Raidforums.com,” “Rf.ws,” and “Raid.lol.”

In its announcement, the DOJ states that “from in or around 2016 through February, RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing the sensitive personal and financial information of victims in the United States and elsewhere, including stolen bank routing and account numbers, credit card information, login credentials, and social security numbers. Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.”

RaidForums was also used for electronic harassment through raiding and swatting. The DOJ further stated, “The seizure of these domains by the government will prevent RaidForums members from using the platform to traffic in data stolen from corporations, universities, and governmental entities in the United States and elsewhere, including databases containing the sensitive, private data of millions of individuals around the world.”

John Oliver, comedian and host of HBO’s Last Week Tonight, called on Congress to issue broad data privacy legislation by making it elegantly personal – he bought their data. Following a 25-minute segment on the ubiquity of third-party trackers and data brokering, the late night host revealed that his staff had created an advertiser’s profile targeting “men aged 45 and up” in the Capitol Hill area who had previously visited sites and made searches regarding “divorce, massage, hair loss, and midlife crisis.” They ran a series of ads with embarrassing titles including “Marriage Shouldn’t Be A Prison,” “Can You Vote Twice?,” and (to the studio audience’s delight) “Do You Want To Read Ted Cruz Erotic Fan Fiction?”

Oliver’s phishing expedition turned up several unique users in and near Capitol Hill, including at least three IP addresses originating from inside the Capitol building itself. The users in the Capitol building clicked on each of the ads (including, disturbingly, the ad for Ted Cruz erotica).

Oliver refrained from threatening or doxing any member of Congress in particular, and he claimed in his segment that he had not de-anonymized any of the data he collected. The implication though was clear: Oliver’s scheme is tailor-made for political opposition research, and the next person might not be so accommodating.

*This post was authored by Blair Robinson, legal intern at Robinson+Cole. Blair is not admitted to practice law.

Governor Glenn Youngkin of Virginia recently approved legislation to amend the Virginia Consumer Data Protection Act (VCDPA). In a time when data privacy bills creep through state legislatures only to die in committee, Virginia has not only passed a privacy law, but has also now amended that law. Three bills were recently signed by the Governor to amend the VCDPA.  The first, H 381, adds an exemption to the right to delete. Specifically, the new language states that data controllers that have obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data by either: (1) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remain deleted from the business’s records and not using such retained data for any other purpose; or (2) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the VCDPA.

The second amendment to the VCDPA, S 534, abolishes the Consumer Privacy Fund previously established by the VCDPA, and provides that “[a]ll civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.”

The third amendment to the VCDPA, also in S 534, redefines the phrase “nonprofit organization” to now include any political organization that is exempt from taxation under section 501(c)(3) of the Internal Revenue Code. The bill states that “[p]olitical organization means a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.” Nonprofits that meet this new definition will not have to comply with the VCDPA. All of these changes are effective January 1, 2023.

At the International Association of Privacy Professionals Global Privacy Summit earlier this week, Federal Trade Commission Chair Lina Khan rounded out her first year on the job by calling out “overwhelming” consumer privacy policies. While nearly every company online must post a privacy policy, many of these policies are written in dense legal jargon that the average consumer either can’t understand or read all the way through.

Privacy policies are a key piece of the FTC’s authority over privacy issues. Section 5 of the FTC Act enables the Commission to regulate “’unfair or deceptive acts or practices in or affecting commerce,” which the FTC has used to hold companies to the terms of their privacy policies.

However, many privacy policy violations may go unreported by consumers who are unable to understand their terms.

Khan’s admonition follows a trend started by former California Attorney General Kamala Harris, whose office sued Delta Airlines under the California Online Privacy Protection Act for failing to provide a privacy policy on their “Fly Delta” mobile app. Following this suit, the California AG’s office released a practical guidance document recommending “clear, accurate, and conspicuously accessible” privacy policies and “special notices” that give users just-in-time and understandable privacy disclosures.

In the same keynote address, Khan also called on Congress to pass legislation to “help usher in” a new era of federal and industry privacy regulations. Taken together with the FTC’s previous guidance on “dark patterns,” it seems clear that the FTC is positioning itself to begin regulating the form and content of privacy policies in addition to enforcing their terms.

*This post was authored by Blair Robinson, legal intern at Robinson+Cole. Blair is not admitted to practice law.