The Risk Report - March 12

There are currently three states with consumer privacy laws in place. You know, the ones that let you ask a company to delete your personal information. A fourth state could be added to that list later this month. Read on for more.

‍

BREACHES OF THE WEEK

📱 Lapsus$ strikes again

Samsung announced on Monday that hackers from Lapsus$ (the same group that took down Nvidia last week) had gained access to 190GB of source code of its Galaxy phones, as well as internal company data. Unlike in the case of the Nvidia breach, there does not seem to be any ransom involved in this attack. Samsung has clarified that no employee or customer information was taken in the hack. Who will Lapsus$ strike next?

Read the full story

🚑 From one hospital...

Logan Health Medical Center, a 288-bed hospital in Kalispell, Montana, has notified over 213,000 patients this week of a data breach that took place last November. In its letter to those impacted, the hospital explained that it first discovered “evidence of unauthorized access” to its systems on November 22, 2021, and that an investigation concluded that protected health information may have been accessed. No electronic medical records were compromised. The hospital is offering 2 years of complimentary credit monitoring to those impacted.

Read the full story

🏥 ...to the next

Ascension Michigan, a major hospital system, is notifying patients of a data breach that exposed the personal information of 27,000 people. The breach, which was discovered on November 30th of last year, involved an unauthorized individual accessing electronic health records between September and October 2021. Upon discovery, the user’s access was immediately terminated. Information potentially obtained includes health insurance information, treatment information, and Social Security numbers. The hospital system is offering free credit monitoring to those impacted. But, you know what? I’m getting tired of writing that line every week. How is free credit monitoring an acceptable reparation for an organization's (and, so often, a hospital’s) lousy InfoSec? The world deserves better.

Read the full story

NOTEWORTHY THIS WEEK

🇺🇸 Privacy for Utahns

Utah would become the fourth US state with a comprehensive consumer privacy law if its Consumer Privacy Act is signed by Governor Spencer Cox before the March 24 deadline. Under the new law, consumers would have the right to request personal data from companies that have collected it, and request that it be deleted. On the surface, this is very similar to the rights granted to Californians under CCPA. The other states that have consumer privacy laws in place are Virginia and Colorado.

Read the full story

🗳️ Fighting the bad fight

Tina Peters, a county clerk in Mesa County, Colorado, has been indicted on 10 counts in connection to an election data breach following the 2020 presidential election. The charges brought against her include seven felony counts for attempting to influence a public servant, criminal impersonation, and identify theft. Peters was a staunch supporter of President Donald Trump and his claims of election fraud.

Read the full story

Want to receive this newsletter weekly? Subscribe for the latest news on data breaches and privacy legislation.

‍