At a glance.
- T-Mobile data breach lawsuits headed for consolidation.
- Data exposure at a Saskatchewan school system.
- Georgia healthcare provider criticized for poor preparation for ransomware attacks.
- Update on the Desert Wells Family Medicine data incident.
T-Mobile agrees to consolidation of data breach lawsuits.
T-Mobile’s recent massive data breach has led to a slew of proposed class action lawsuits -- twenty-nine, to be exact, filed in eight different federal district courts. Reuters reports that T-Mobile is supporting a plaintiffs' motion, filed last month, to centralize the lawsuits in one federal district court. However, while the plaintiff suggested the US District Court for the Western District of Washington (the location of the mobile giant’s headquarters), T-Mobile is proposing a different court, as the Western District court is currently suffering from a judge shortage. T-Mobile explained, "This is not a dispute that should be assigned to a court experiencing such severe resource constraints." With only two active judges and five vacancies, the court has the highest judicial vacancy rate in the country.
Accidental breach of Canadian school.
According to an investigative report recently published by the office of the Saskatchewan Information and Privacy Commissioner (SIPC), the private data of nearly three thousand students of Chinook School Division in Saskatchewan, Canada were exposed in an accidental breach. The Prairie Post reports the breach occurred when a GitHub code repository was inadvertently set to public instead of private for about thirty-six hours. While the district has instituted new security measures, including revising its GitHub procedures, SIPC Commissioner Ron Kruzeniski feels the district needs to do more: “Although these are good first steps, the School Division should take further steps to mitigate this risk...The School Division should be thoroughly reviewing these applications prior to using them for its own business purposes.”
Georgia healthcare system under fire for ransomware attack.
St. Joseph’s/Candler Health System (SJ/C) is facing a lawsuit filed by one of the patients impacted in their recent ransomware attack, GovInfoSecurity reports. The suit alleges that the Georgia healthcare center was "reckless" and "negligent" and failed to heed the warnings of federal agencies like the Department of Health and Human Services, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation, who recently released a number of of alerts regarding the ransomware threats facing the healthcare sector. "Despite repeated, explicit, detailed warnings as to the manner in which hackers were targeting hospitals' IT systems and how to prevent such attacks, the defendant maintained an IT system vulnerable to attacks from those very same cybercriminals," the complaint states. It’s worth noting that although the attack was discovered in June, the intruder had access to SJ/C’s systems for approximately six months without detection. The plaintiff seeks damages and five years of credit and identity monitoring, in addition to demanding that SJ/C improve its security protocols.
Update on the Desert Wells attack.
As we noted earlier this week, Arizona-based healthcare provider Desert Wells Family Medicine has disclosed it experienced a ransomware attack in May that impacted at least 35,000 patients. The newly released Notice of Data Loss Incident explains that third-party forensic experts and law enforcement are investigating and have determined that the affected data include addresses, dates of birth, Social Security numbers, driver’s license numbers, and health insurance and treatment data, but investigators say there’s no evidence any of the data was misused.
Nick Sanna, CEO of RiskLens, wrote to express the importance of understanding where to apply an organization's resources to improving cybersecurity: “The pressure is on healthcare CISOs to justify the right investments in cybersecurity to a business audience who will support them if they understand the financial impact of ransomware attacks to their organization. Quantifying cyber risk in financial terms is key to get the right buy-in and level of protection. Technical arguments alone are not enough and get too easily discounted”