In an unusual case, Georgia-based Southwire, an American manufacturer of wire and cable, has secured the indictment in the Irish High Court against the registrants of the Mazenews site, which Southwire convincingly claims is associated with the Maze ransomware gang that hit the company early last month. Southwire elected not to pay the $6 million ransom the Maze hoods demanded, and the gang then, in what has become an increasingly common tactic, began publishing data they'd stolen from Southwire on Mazenews, Infosecurity reports. Mazenews had some identifiable natural persons associated with it (at least two in Ireland and one in Poland) and they're the ones Southwire decided to pursue. Good luck to Southwire, and good (legal) hunting.
Several breaches involving healthcare providers have attracted lawsuits. The Canadian medical testing firm LifeLabs, which operates principally in Ontario and British Columbia, faces at least two class action suits, one filed in each province. Insurance Business says the plaintiffs allege, in a December 27th filing with the Ontario Superior Court, "negligence, breach of contract and violating their customers’ confidence." They also allege violations of privacy and consumer protection laws. The suit filed in British Columbia's Supreme Court complains that LifeLabs lacked both “adequate security” and “adequate training for employees.” It also argues that the company should have been quicker to disclose the incident to the people who were affected. The plaintiffs in the Ontario case are seeking a whopping $1.13 billion from LifeLabs.
In Montana, Kalispell Regional Healthcare may be facing its own class action suit over a data breach the hospital sustained in May. Here, too, there was some delay in disclosure: Kalispell Regional didn't disclose the breach to the estimated 130,000 persons affected until five months after it occurred. Two suits, one filed in November, the other on December 24th, allege that Kalispell Regional was in violation of the Montana Uniform Health Care Information Act. The Act authorizes people whose data were compromised to receive damages from the parties who mishandled the data or permitted them to be stolen. The second suit also seeks to certify a class of patients who were affected by the breach. The Missoulian in its reporting characterizes the breach as the result of a "sophisticated cyberattack," but that characterization seems wayward: the attackers got in by successfully phishing hospital employees into compromising their credentials to Kalispell Regional's network.
And, in a case that represents fallout from activities of the notorious (and now indicted) Darkoverlord, the Supreme Court of the State of Georgia unanimously decided to revive a patient suit against the Athens Orthopedic Clinic for a breach the Darkoverlord committed in June of 2016. Health IT Security reports that the plaintiffs (who are also seeking class certification) allege negligence, breach of an implied contract, and "unjust enrichment.” They also want to be compensated for the cost of credit monitoring and identity protection.