Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Notice. Show all posts

ATC Healthcare, Community of Hope & The People Concern Disclose Data Breaches

 

ATC Healthcare in New York made a news statement disclosing a breach in December 2021. Their press statement is not as clear or extensive as an updated notice on their website, thus this description is based on the website notice: 

ATC noticed strange behaviour with various staff email accounts on December 22, 2021. The email accounts were accessed without authorisation at various occasions between February 9, 2021, and December 22, 2021, according to the investigation. 

At the time of the incident, the compromised email accounts contained the following data: names, Social Security numbers, driver's licence numbers, financial account information, usernames and passwords, passport numbers, biometric data, medical information, health insurance information, electronic/digital signatures, and employer-assigned identification numbers. 

As is typically the case, investigators were unsure exactly what data had been accessed, thus notifications were made to all individuals who may have been affected. They do not appear to be providing any free services and highlight that there is no conclusive proof that any data was read, copied, or exfiltrated. 

Community of Hope D.C. (COHDC) 

COHDC learnt of a data security problem involving unauthorised access to one of its employees' email accounts on February 7, 2022. According to reports, the issue was uncovered after the account's authorised user saw spam messages being sent from the account. 

An investigation indicated that between January 27 and February 7, 2022, an unauthorised actor may have accessed specific files and data housed within a single Outlook 365 email account. Individuals' Social Security numbers, driver's licence numbers, financial information, health insurance information, and health diagnostic information may have been obtained. COHDC appears to have made arrangements with IDX to assist and serve the individuals affected. The complete notification is available on the COHDC website.   

The People Concern 

The People Concern (TPC) in California discovered that an unauthorised user accessed workers' email accounts on various days between April 6, 2021, and December 9, 2021, however, they do not identify when they initially detected an issue. 

As in previous incidents, investigators were unable to identify whether emails or data in the email accounts were accessed. TPC gathers information on community members and staff such as their name, date of birth, Social Security number, health insurance information, and medical information about the care they may have gotten in one of their programmes. TPC is giving IDX services to people whose SSN or driver's licence information may have been compromised. 

Advocates, Inc. 

Advocates, Inc. in Massachusetts published a news release on June 28. 

"According to the release, on October 1, 2021, Advocates was informed that Advocates' data had been copied from its digital environment by an unauthorized actor. Investigation revealed that an unknown actor gained access to and obtained data from the Advocates network between September 14, 2021, and September 18, 2021. The unauthorized individual was able to acquire personal and protected health information including name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information."

A further look at their website notice suggests that the identification of additional impacted persons was ongoing until June. As they put it:

"Advocates is not aware of any evidence of the misuse of any information potentially involved in this incident. However, beginning on January 3, 2022, Advocates mailed notice of this incident to potentially impacted individuals for which Advocates had identifiable address information. Advocates then worked diligently with experts to review the impacted data set and identify any additional potentially impacted individuals with address information. That process was completed on June 9, 2022, and on June 28, 2022, Advocates provided notice of this incident to those individuals."

All Organisations Must Report Cybersecurity Beaches Within 6 Hours: CERT-In

 

CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.

The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."

Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.

The government stated  it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”

Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.

The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.

India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."