At a glance.
- US Federal privacy legislation updates.
- Another medical system exposed to risk in Blackbaud's ransomware incident.
- University Hospital Limerick data breach.
US lawmakers focus on privacy legislation.
Data privacy and cybersecurity return to the forefront of US legislation this week, JD Supra reports. Some highlights:
- Already passed in the House, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 is now pending at the Senate. The Act would require that the National Institute of Standards and Technology devise clear guidelines on the use of IoT devices by the government and the disclosure of cybersecurity issues by IoT government contractors.
- Introduced by four Republican senators, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act seeks to create federal consumer data privacy guidelines that would override laws at the state level.
- The state of New York passed a measure preventing elementary and secondary schools from purchasing biometric identification technology while the Department of Education devises regulations on its use.
- Portland, Oregon unanimously passed two ordinances banning facial recognition technology in both the private and public sectors.
- The Washington Privacy Act of 2021 is being reviewed. Changes from the 2020 bill include the omission of some facial recognition regulations, the addition of guidelines for privacy during a public health emergency, and the assignment of sole enforcement authority to the Attorney General.
Blackbaud ransomware attack claims another victim.
The Sisters of Charity Health System (SCHS) is the latest victim of the Blackbaud data breach, reports HOTforSecurity. The hospital system, based in US states Ohio and South Carolina, released a statement explaining that their fundraising database containing patient and donor information might have been compromised as a result of Blackbaud’s massive breach in July. SCHS has contacted all impacted individuals and set up a customer service line for assistance.
Ambulance service hit by ransomware attack.
AAA Ambulance Service located in the US state of Mississippi released a statement announcing that it was the victim of a ransomware attack in July, reports EMS1. Though some in the cybercriminal community have asserted that targeting medical facilities should be off the table in the midst of the COVID-19 pandemic, AAA is one of the latest in a series of healthcare entities facing recent data compromises.
Irish hospital's patient data leaked.
The personal data of over 600 patients of Ireland’s University Hospital Limerick was released to Twitter by a rogue IT employee, reports the Limerick Leader. The data, which was pulled from an automated medications database, includes patient names, dates of birth, and dosages. Once reported to the gardai, a High Court injunction was imposed to prevent the hacker from further action, but a hospital spokesperson told the Irish Examiner that “there remains a residual risk of future unauthorized disclosure.”
PJ Norris, senior systems engineer at Tripwire, emailed us comment on the incident. “To ensure patients’ care and safety, healthcare organizations must ensure that their environment is duly protected against unauthorized changes and misconfigurations, which can make their environment susceptible to a cyber-attack. Given the increased cyber-attacks against healthcare organizations, it is simply no longer sufficient to merely be compliant with security frameworks. When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances, but also provide protection for data in transit and at rest.”