At a glance.
- QuestionPro threatened with data extortion after possible breach.
- Advice for complying with Australia’s data breach rules.
- Recent US healthcare data breaches.
QuestionPro threatened with data extortion after possible breach.
QuestionPro, an online market research service, has disclosed it experienced an extortion attempt in which a cyberactor threatened to release stolen data containing records for approximately 22 million unique email addresses unless the company hands over a bitcoin payment. QuestionPro says they have not met the hacker’s demands and they are currently investigating whether a data breach actually occurred. The prolific hacker “pompompurin,” who has claimed responsibility for several recent high-profile attacks including the breach of the US Federal Bureau of Investigation's Law Enforcement Enterprise Portal and the theft of customer data from US financial services giant Robinhood, told BleepingComputer they acquired the database in May, but another hacker appears to be behind the extortion effort. The stolen records include email addresses, IP addresses, geographic locations, and other information related to QuestionPro surveys. Troy Hunt, owner of data breach notification service Have I Been Pwned, says he will be adding the incident to his site as an "unverified" breach, and subscribers found in the database will be notified.
Advice for complying with Australia’s data breach rules.
This year’s breach reporting period for the Office of the Australian Information Commissioner’s Notifiable Data Breach Scheme came to a close at the end of June. In previous years the health sector has been the most targeted by threat actors, and though this year’s official report has yet to be released, in the interim Lexology offers advice for health organizations seeking to prevent the theft of medical information. Organizations are urged to be wary of electronic forms that automatically pre-fill information, as well as suspicious links or files. Other recommendations include providing training for staff on recognizing phishing scams, verifying patient identities, and the proper handling of personal records. In order to comply with Australian Privacy Principle 11, organizations must take adequate measures to detect data breaches in a timely fashion, which means monitoring systems for unusual activity, securing paper records, and making sure staff know how to internally report suspected data breaches.
Recent US healthcare data breaches.
American medical organizations continue to be the target of data intrusions. Home healthcare provider Healthback Holdings, based in the US state of Oklahoma, experienced an email breach in June that compromised the personal data of over 21,000 individuals. Becker’s Hospital Review reports that exposed patient data include names, health insurance information, and Social Security numbers.
Becker’s Hospital Review also reports that Central Maine Medical Center has disclosed a June cyberattack led to the breach of the protected health information of nearly 12 thousand patients. According to the required breach notification, the hospital's IT system was infiltrated by an unauthorized user, but it’s unclear what type of data were compromised.
In a statement posted on its website, First Choice Community Healthcare Inc. says an unauthorized third party may have accessed personal and protected health information. The New Mexico-based health system has not yet found evidence that the impacted data – which could include names, Social Security numbers, diagnosis and clinical treatment information, medications, and health insurance info – was misused, but First Choice has begun notifying patients of the incident. BizJournals notes that the breach was first detected in March, at which time First Choice began an investigation to determine the scope of the breach. That investigation concluded in June, but the exact number of impacted individuals has not been disclosed.