Updates on healthcare and school system data breaches. T-Mobile privacy lawsuits headed for consolidation.

Summary

By the CyberWire staff

At a glance.

T-Mobile data breach lawsuits headed for consolidation.
Data exposure at a Saskatchewan school system.
Georgia healthcare provider criticized for poor preparation for ransomware attacks.
Update on the Desert Wells Family Medicine data incident.

T-Mobile agrees to consolidation of data breach lawsuits.

T-Mobile’s recent massive data breach has led to a slew of proposed class action lawsuits -- twenty-nine, to be exact, filed in eight different federal district courts. Reuters reports that T-Mobile is supporting a plaintiffs' motion, filed last month, to centralize the lawsuits in one federal district court. However, while the plaintiff suggested the US District Court for the Western District of Washington (the location of the mobile giant’s headquarters), T-Mobile is proposing a different court, as the Western District court is currently suffering from a judge shortage. T-Mobile explained, "This is not a dispute that should be assigned to a court experiencing such severe resource constraints." With only two active judges and five vacancies, the court has the highest judicial vacancy rate in the country.

Accidental breach of Canadian school.

According to an investigative report recently published by the office of the Saskatchewan Information and Privacy Commissioner (SIPC), the private data of nearly three thousand students of Chinook School Division in Saskatchewan, Canada were exposed in an accidental breach. The Prairie Post reports the breach occurred when a GitHub code repository was inadvertently set to public instead of private for about thirty-six hours. While the district has instituted new security measures, including revising its GitHub procedures, SIPC Commissioner Ron Kruzeniski feels the district needs to do more: “Although these are good first steps, the School Division should take further steps to mitigate this risk...The School Division should be thoroughly reviewing these applications prior to using them for its own business purposes.”

Georgia healthcare system under fire for ransomware attack.

St. Joseph’s/Candler Health System (SJ/C) is facing a lawsuit filed by one of the patients impacted in their recent ransomware attack, GovInfoSecurity reports. The suit alleges that the Georgia healthcare center was "reckless" and "negligent" and failed to heed the warnings of federal agencies like the Department of Health and Human Services, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation, who recently released a number of of alerts regarding the ransomware threats facing the healthcare sector. "Despite repeated, explicit, detailed warnings as to the manner in which hackers were targeting hospitals' IT systems and how to prevent such attacks, the defendant maintained an IT system vulnerable to attacks from those very same cybercriminals," the complaint states. It’s worth noting that although the attack was discovered in June, the intruder had access to SJ/C’s systems for approximately six months without detection. The plaintiff seeks damages and five years of credit and identity monitoring, in addition to demanding that SJ/C improve its security protocols.

Update on the Desert Wells attack.

As we noted earlier this week, Arizona-based healthcare provider Desert Wells Family Medicine has disclosed it experienced a ransomware attack in May that impacted at least 35,000 patients. The newly released Notice of Data Loss Incident explains that third-party forensic experts and law enforcement are investigating and have determined that the affected data include addresses, dates of birth, Social Security numbers, driver’s license numbers, and health insurance and treatment data, but investigators say there’s no evidence any of the data was misused.

Nick Sanna, CEO of RiskLens, wrote to express the importance of understanding where to apply an organization's resources to improving cybersecurity: “The pressure is on healthcare CISOs to justify the right investments in cybersecurity to a business audience who will support them if they understand the financial impact of ransomware attacks to their organization. Quantifying cyber risk in financial terms is key to get the right buy-in and level of protection. Technical arguments alone are not enough and get too easily discounted”

Selected Reading

DoorDash sues New York City over law that requires it to share customer data with restaurants (The Verge) The law is set to take effect in December.

Hawks arrest suspect in Experian data breach that exposed data of 23 million South Africans (My Broadband) The Hawks arrested a suspect linked to last years breach of Experian, which led to the personal data records of 23.4 million South Africans being posted online.

T-Mobile, customers diverge on forum to transfer data breach suits (Reuters) T-Mobile US Inc is supporting a plaintiffs' bid to centralize in one federal district court almost 30 lawsuits filed by customers over a recent massive data breach, but suggested a different venue due to a "dire" judge shortage.

Lawsuit: Health System Failed to Heed Ransomware Warnings (GovInfoSecurity) A proposed class action lawsuit filed this week against St. Joseph's/Candler Health System in the wake of a recent ransomware breach affecting 1.4 million

Anonymous hacks and leaks data from domain registrar Epik (The Record by Recorded Future) Hacktivist group Anonymous has successfully breached and leaked the database of Epik, a controversial web hosting provider and domain registrar that has given shelter to many right-wing websites over the past few years, such as Gab, Parler, and The Donald.

Chinook School Division student information exposed during accidental data breach (Prairie Post) The private records for 2,841 Chinook School Division students were available publicly for over 36 hours during an accidental data breach last year.

Exclusive Data: An Inside Look at the Spy Tech That Followed Kids Home for Remote Learning — and Now Won’t Leave (The 74 Million) A week after the pandemic forced Minneapolis students to attend classes online, the city school district’s top security chief got an urgent email, its subject line in all caps, alerting him to potential trouble. Just 12 seconds later, he got a second ping. And two minutes after that, a third. In each instance, the emails […]

Cybersecurity expert: Israeli spyware company NSO Group poses ‘a serious threat to phone users’ (The World from PRX) John Scott-Railton, a senior researcher with The Citizen Lab in Canada who discovered the Apple iPhone breach with his colleagues, joined The World's host Carol Hills to talk about the international spyware marketplace that fosters these kinds of exploits.