Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fines. Show all posts
UK
Data Breach data security Employee Data Fines ICO Information Commissioner Office Information Security Ireland UK

PSNI Faces £750,000 Fine for Major Data Breach

 

The Police Service of Northern Ireland (PSNI) is set to receive a £750,000 fine from the UK Information Commissioner’s Office (ICO) due to a severe data breach that compromised the personal information of over 9,000 officers and staff. This incident, described as "industrial scale" by former Chief Constable Simon Byrne, included the accidental online release of surnames, initials, ranks, and roles of all PSNI personnel in response to a Freedom of Information request. 

This breach, which occurred last August, has been deemed highly sensitive, particularly for individuals in intelligence or covert operations. It has led to significant repercussions, including Chief Constable Byrne's resignation. Many affected individuals reported profound impacts on their lives, with some forced to relocate or sever family connections due to safety concerns. The ICO's investigation highlighted serious inadequacies in the PSNI's internal procedures and approval processes for information disclosure. 

John Edwards, the UK Information Commissioner, emphasized that the breach created a "perfect storm of risk and harm" due to the sensitive context of Northern Ireland. He noted that many affected individuals had to "completely alter their daily routines because of the tangible fear of threat to life." Edwards criticized the PSNI for not having simple and practical data security measures in place, which could have prevented this "potentially life-threatening incident." He stressed the need for all organizations to review and improve their data protection protocols to avoid similar breaches. 

The ICO's provisional fine of £750,000 reflects a public sector approach, intended to prevent the diversion of public funds from essential services while still addressing serious violations. Without this approach, the fine would have been £5.6 million. In response to the breach, the PSNI and the Northern Ireland Policing Board commissioned an independent review led by Pete O’Doherty of the City of London Police. The review made 37 recommendations for enhancing information security within the PSNI, underscoring the need for a comprehensive overhaul of data protection practices. 

Deputy Chief Constable Chris Todd acknowledged the fine and the findings, expressing regret over the financial implications given the PSNI's existing budget constraints. He confirmed that the PSNI would implement the recommended changes and engage with the ICO regarding the final fine amount. The Police Federation for Northern Ireland (PFNI), representing rank-and-file officers, criticized the severe data security failings highlighted by the ICO. 

PFNI chair Liam Kelly called for stringent measures to ensure such an error never recurs, emphasizing the need for robust data defenses and rigorous protocols. This incident serves as a stark reminder of the critical importance of data security, particularly within sensitive sectors like law enforcement. The PSNI's experience underscores the potentially severe consequences of inadequate data protection measures and the urgent need for organizations to prioritize cybersecurity to safeguard personal information.
Read more »
Vendor Hack
Data Breach Fines Hackers Privacy Security User Data User Privacy User Security Vendor Hack

Aetna Reports Mailing Vendor Hack Affected 326,000

 

Aetna ACE revealed to federal regulators a health data breach impacting about 326,000 people that was caused by a ransomware event involving OneTouchPoint, a subcontractor that offers printing and mailing services to one of the insurer's contractors. 

OneTouchPoint, located in Wisconsin, revealed to Maine's attorney general last week that a hacking issue uncovered in April affected roughly 1.1 million people. In a statement posted on its website, OneTouchPoint also identifies more than 30 health plan clients who were affected by the event. That list does not include Aetna ACE. 

Despite this, Aetna ACE reported the OneTouchPoint issue to the Department of Health and Human Services on July 27 as a HIPAA breach impacting almost 326,300 people. Aetna states the exposed information may have included names, residences, dates of birth, and limited medical information, according to a statement given to Information Security Media Group on Tuesday. 

According to Aetna, the incident did not include any of Aetna's or parent company CVS Health's systems. Some experts believe that breaches involving health insurers pose significant privacy and security risks to their members' protected health information. 

"Insurance companies typically hold large volumes of individually identifiable data that are valuable to hackers," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. 

The OneTouchPoint incident is not Aetna's first known health data leak involving a vendor that offers printing and mailing services. Aetna paid millions of dollars in regulatory fines and civil settlements as a result of a botched mailing breach in 2017. 

This privacy violation happened during a vendor's sending of letters to around 12,000 Aetna plan participants in different states informing them of new alternatives for filling their HIV medicines. The members' HIV medicine information was possibly apparent via the clear windows of the shipping envelopes. Aetna paid more than $20 million in court settlements relating to regulatory fines imposed by a few state attorneys general and the resolution of class action lawsuits as a result of the privacy issue.
Read more »
Subscribe to: Posts (Atom)