At a glance.
- First CCPA case reaches a settlement.
- Twitter fined for violation of GDPR.
- Millions of medical images exposed on the web.
- Medical imaging exposures: industry reactions.
First CCPA case reaches a settlement.
A settlement has been reached in the first case involving a violation of the California Consumer Privacy Act (CCPA), reports the National Law Review. The class-action lawsuit was filed after children’s clothing retailer Hanna Andersson suffered a breach in which the personal information of more than 200,000 customers was compromised, information the threat actors then used to make fraudulent credit card purchases. Hanna Andersson has agreed to create a $400,000 settlement fund for the impacted customers, or about $2 per class member, which is more than twice the amount of recent similar settlements. Perhaps more importantly, the retailer will also implement extensive new security practices, including conducting additional malware and anti-virus monitoring and hiring a Director of Cybersecurity, setting a precedent for future CCPA cases.
Twitter fined for violation of GDPR.
Across the pond, Ireland has reached its first major decision in a case concerning a violation of the EU’s General Data Protection Regulation (GDPR), TechCrunch reports. Social media giant Twitter has been fined €450,000, or about $547,000, for its mishandling of a 2018 data breach, the result of a bug in Twitter’s “Protect your tweets” feature that was exposing Android users’ private information instead of, well, protecting it. An investigation by Ireland’s Data Protection Commission (DPC) found that Twitter delayed reporting the breach and improperly documented the details of the incident. As MediaPost reports, Twitter discovered the issue in December 2018 but did not disclose it until January 2019, far over the 72-hour grace period allowed. The DPC is being criticized for its delay in reaching a decision—after promising to resolve its first GDPR cases months ago—due to difficulties reaching a consensus among other EU Data Protection Authorities (DPAs). The low amount of the fine, the result of a hard-won compromise among the DPAs, is also under scrutiny, considering a fine of up to $60 million would have been permissible according to the GDPR’s guidelines.
Millions of medical images exposed on the web.
Dark Reading reports that after a six-month investigation, researchers at risk management company CybelAngel published a report stating they’d found more than three thousand exposed storage servers containing over 45 million x-rays, MRI scans, and medical image files from sixty-seven countries including the US, the UK, and South Korea. BusinessWire reports, the analysts were examining Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the standard platforms used by medical professionals to share healthcare data with one another, when they found that the unencrypted images were being saved without password protection, making them completely accessible to the public without the use of hacking tools. If a breach were to occur, the professionals involved could be found in violation of medical privacy laws like the Health Insurance Portability and Accountability Act (HIPAA).
Medical imaging exposures: industry reactions.
We've heard from several industry experts on the implications of the recent exposure of more than forty-five million medical images. Josh Bohls, CEO of Inkscreen, a firm with expertise in secure content capture, wrote:
"This astonishing disclosure shows how toothless the United States HIPAA regulations are, and how lax healthcare providers have become when storing patient data. This should serve as a wake-up call for providers to take a fresh look at how they process, maintain, and safeguard patient-identifiable photos.
"The easy solution would be to move the image files to a secure server on-premise or host them in a private cloud, and add strong authentication requirements plus logging so it's apparent which images have been accessed, copied, deleted, or moved. Going a step further, providers should evaluate modern solutions to capturing and managing sensitive patient images."
Trevor Morgan, product manager with data security specialists comforte AG, thinks that more attention needs to be paid to sensitive data that's not financial information:
“The leak of millions of medical images accentuates a really key realization - sensitive information doesn’t just encompass financial data but also other, more personal types of PII. Some of the most sensitive data people (and enterprises) own is information about their medical health and well-being. This PHI (protected health information) is clearly addressed in many privacy regulations, so organizations that handle, process, and store this data need to find the most effective ways to prevent leaks from compromising the subjects of this sensitive information.
"Perimeter- and access-based security alone cannot guarantee complete protection. Protection methods, especially for textual information, need to focus on the data itself, what we call data-centric security. Methods like tokenization and format-preserving encryption can protect sensitive data while enabling organizations to continue to work with it. This extensive data leak should remind all businesses—especially those in the healthcare industry—of the imperative to keep patients’ healthcare information safe through the most advanced means possible.”
Chris Hauk, consumer privacy champion at Pixel Privacy, wrote:
“Despite previous instances of sensitive personal information being left unprotected and available to anyone with an internet connection, medical images and other deeply personal information is still being left unprotected. Medical data sharing networks should immediately examine their security practices, and plug any security holes they find. Or, at the very least, they should require a password for information like this.
"Unfortunately, the freely available information, such as these medical images, can be used by the bad actors of the world to exploit the fears of users who find that their information may have been exposed. The bad guys can use social engineering to exploit patients fears, to extort more information or even cash from the victims.”