At a glance.
- A look at the first year of CCPA enforcement.
- UC San Diego Health data breach traced to compromised employee email account.
Reflecting on the first year of CCPA enforcement.
In honor of the one-year anniversary of the California Consumer Privacy Act (CCPA), California Attorney General Rob Bonta released an update detailing how the legislation has been enforced so far. The update includes descriptions of twenty-seven instances of alleged noncompliance and the resulting enforcement measures. Here are some of the major takeaways, according to cyber/data/privacy insights:
- Businesses cited for noncompliance include companies with an online presence as well as those that function primarily offline.
- Notifications of violation of the CCPA’s “30-day cure window” can come from various sources. For example, in one incident an email from a consumer triggered the window, while in another case a report from a consumer advocacy organization was what tipped off the attorney general’s office about noncompliance.
Data breach at the University of California San Diego Health traced to staff email compromise.
Staying in the state of California, US health system University of California San Diego (UCSD) Health has disclosed that it experienced a data breach in March as the result of a phishing attempt, NBC 7 reports. A UCSD Health spokesperson has confirmed that this was not a ransomware attack, but that an intruder gained unauthorized access to employee email accounts. UCSD Health shut down the compromised accounts in April, just a few weeks after first discovering suspicious activity, but by May it was clear that the accounts “contained personal information associated with a subset of our patient, student and employee community.” Dates of birth, laboratory results, medical diagnoses, treatment information, Social Security numbers, financial account numbers, and usernames and passwords were among the exposed data. UCSD Health’s official statement notes that “continuity of care for our patients” was not affected by the incident. The San Diego Union Tribune notes that UCSD Health plans to begin contacting impacted individuals after a forensic investigation is complete, likely by the end of September. Hopefully the delay will not be seen as a violation of the Breach Notification Rule of the Health Information Portability and Accountability Act, which requires notification “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”
Casey Ellis, CTO and founder of Bugcrowd, commented on the breach as the kind of thing that happens to a sector that's under stress:
"In an effort to support patients and staff during the pandemic, the healthcare sector has had to quickly become more accessible and connected. This increased accessibility brings increased exposure to attackers, and any time new technologies are quickly implemented there will be exploitable vulnerabilities left behind. This, combined with the intense pressure on the healthcare sector, makes it a prime target for cybercriminals.
"This breach is an example of the personal sensitive information that can be violated by outside attackers within healthcare organizations such as medical diagnosis and conditions, medical record numbers, prescription information, social security numbers, financial account information. With such incredibly sensitive data at stake to cyber attackers, healthcare organizations should fortify their security posture with a crowdsourced cybersecurity approach. This empowers healthcare professionals to assess and mitigate the risks associated with disparate data sources and infrastructure so that patients do not have to worry about the privacy of their data.
"As health needs continue to grow, healthcare providers need to continue to operate without security slowing them down, which is where Bugcrowd has seen great success engaging external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before adversaries can exploit them. This allows healthcare networks to identify security issues before the adversary does, protect their users, and avoid a breach like this one.”
According to Alicia Townsend, Technology Evangelist at OneLogin, sees it as another case of using an employee's account as a gateway to sensitive data:
“Yet again, another healthcare institution has become the victim of a phishing attack. Sadly, malicious actors are constantly trying to take advantage of employees in the healthcare industry in order to access such a rich source of patient personal information. The full extent of this particular breach has not yet been fully discovered, though first reports suggest that the bad actors were only able to access the email account of a few employees. While they did not seem to get full access to entire data stores of patient information, they did get access to personal information for a number of patients, everything from basic contact information to social security numbers to medical history.
"UC San Diego Health has stated that they have taken steps to enhance their security processes and procedures. We can only hope that includes requiring additional authentication factors when their users log in to access all resources, including email. But even they admit that they need the “community to remain alert to threats”. We have stated it before and it needs to be stated again: healthcare institutions must implement security training for all of their users. Everyone needs to be educated on how to spot phishing attempts, how to keep their passwords secure, the importance of using additional authentication factors, and what to do in case they suspect an attack.”
Purandar Das, co-founder and chief security evangelist at Sotero, cautions against jumping to the conclusion that the stolen data haven't been misused:
“I think it will be important to understand the specific nature of the breach. More importantly, it is too early to claim that the data has not been misused. In fact, it may be hard to quantify what the long-term impact of the stolen data on the individuals are. Also concerning is the beach was not identified based on sources other than organization. That fact alone may suggest that the stolen data may have been spotted in an illegal store front. Obviously, the hospital will be taking a hard look as to how the activity went undiscovered for an extended period of time. The learnings should be used to help other organizations prepare better.”