At a glance.
- Medical diagnostic lab sustains data breach.
- Chanel's ROK unit breached, patient data compromised.
- Further considerations of the privacy implications of Apple's child protection policy.
- University of Pittsburgh Medical Center reaches settlement in data breach lawsuit.
Diagnostic lab cyberattack exposes patient data.
Health IT Security reports that A2Z Diagnostics, a specialized testing lab in the US state of New Jersey, experienced a data breach when an intruder gained access to employee email accounts containing personal health data including full names, Social Security numbers, and medical diagnosis and procedure information. A notice to patients from A2Z states, “Since the date of this incident, A2Z has taken significant measures to improve its technical safeguards in order to minimize the risk of a similar incident in the future, including enhancement of its multi-factor authentication software.”
The price of fashion.
The South Korean unit of French luxury brand Chanel disclosed that it suffered a breach exposing personal customer data including names, birthdates, and shopping histories, EconoTimes reports. Fortunately, no (gold) card info or login credentials were accessed. In an apology letter, Chanel confirmed that the attacker’s IP address had been blocked, and that a “leading independent cybersecurity firm” had verified there was no additional impact on Chanel’s other systems. The Korea Internet & Security Agency and the Personal Information Protection Commission are conducting an ongoing investigation, and it’s unclear whether Chanel’s high-end clientele might pursue litigation.
Experts continue to examine Apple’s child protection tech.
As the CyberWire has noted, Apple’s new child protection features have inspired much debate in the ongoing crypto wars. In Yahoo, Research Associate Professor of Computer Science at Boston University Mayank Varia explores how, if executed properly, the tech employed by Apple can detect inappropriate content while still upholding user privacy. Typical digital image protection relying on encryption keys is only as safe as the key’s holder, but by employing a cryptography method called private set intersection alongside NeuralHash digital fingerprinting, Apple’s detection tools preserve user privacy by scanning user images without actually viewing them. However, Varia admits that without seeing Apple’s actual code, it’s impossible to determine whether the device-assisted matching software will indeed be used securely, or even whether imperceptible changes to images could allow inappropriate content to bypass NeuralHash algorithms. Varia suggests an auditing policy integrating public accountability could ensure the new tech is used effectively and safely.
Pennsylvania hospital system reaches multi-million-dollar data breach settlement.
University of Pittsburgh Medical Center (UPMC), based in the US state of Pennsylvania, has reached a $2.65 million settlement for a class action negligence lawsuit resulting from a 2013 data breach, Infosecurity Magazine reports. The payment will be split among the plaintiffs, 66,000 employees whose personal data were compromised when the attacker, a former Federal Emergency Management Agency IT specialist, gained unauthorized access to tax information on UPMC’s Oracle PeopleSoft database. After being sold on the dark web, the data were used to commit tax fraud, a scheme that cost the Internal Revenue Service $1.7 million. The plaintiffs’ claim that UPMC failed "to comply with widespread industry standards relating to data security” was initially dismissed by the Superior Court but later upheld on appeal at the Supreme Court of Pennsylvania.