At a glance.
- Employer tracking is all in a day’s work (from home).
- US hospital refuses to pay up after Karakurt ransomware attack.
- California Department of Corrections and Rehabilitations suffers data breach.
- Update on the Meta Pixel health data breach.
Employer tracking is all in a day’s work (from home).
The recent pandemic-fueled rise in remote work has led employers to rely more heavily on monitoring technology to keep tabs on exactly what staffers are doing when working from home. According to Brian Kropp, vice president of human-resources research at advisory firm Gartner Inc., approximately 60% of large employers use monitoring platforms to track at least some of their workers, up from just 30% pre-pandemic, and the surge has led to criticism from employees and privacy advocates alike. Interviewing three experts in the field, the Wall Street Journal explores the impact of this tech on data privacy. While an employer has a right to know what its employees are doing at work, some companies have gone overboard, collecting data that aren’t strictly necessary, and many seem to be unaware of how such monitoring could negatively impact worker morale and productivity.
“Surveillance systems that rely on automated decision-making to flag particular behaviors by employees—for example, cursor tracking or facial-recognition tools—also run the risk of reinforcing racist, sexist and ableist patterns in the workplace,” explains John Davisson, director of litigation and senior counsel at nonprofit research and advocacy organization the Electronic Privacy Information Center. When it comes to the legality of such tech, it differs across the globe, but Europe seems to be ahead of the curve. John Verdi, senior vice president of policy at the data-privacy think tank Future of Privacy Forum, explains, “EU law generally prohibits employers from using employee consent as a basis for monitoring, under the reasoning that such consent cannot be freely given when an individual’s livelihood hangs in the balance. Europe’s Data Protection Authorities have levied fines in excess of 30 million euros (about $30.1 million) in response to excessive workplace monitoring.”
US hospital refuses to pay up after Karakurt ransomware attack.
As we noted previously, Methodist McKinney Hospital, a healthcare provider located in the US state of Texas, experienced a ransomware attack at the hands of Russian threat group Karakurt. The hospital refused to meet the gang’s ransom demands, and now the hackers are threatening to publish the data stolen from McKinney and two of its surgery centers in the attack. Experts feel McKinney made the correct decision in not giving in. Threat analyst Brett Callow told CBS News, “I think it was absolutely the right call. Had the hospital paid, it had no guarantees that the data would have been deleted." The hospital has not yet released an official statement beyond releasing a standard incident notification indicating they are “taking steps to secure our systems and commence a comprehensive investigation” and “reviewing and enhancing existing policies and procedures and implementing additional safeguards to further secure the information in our systems.”
California Department of Corrections and Rehabilitations suffers data breach.
The California Department of Corrections and Rehabilitation (CDCR) yesterday disclosed it suffered a breach resulting after “someone or something entered the system without permission,” exposing the data of individuals who underwent testing for COVID-19 in the department. As AP NEWS explains, the testing data, which was collected from June 2020 through January 2022, did not include inmates, but a subsequent investigation revealed that inmate mental health info contained in the CDCR’s Mental Health Service Delivery System might have also been compromised. As well, some inmate financial data and the drivers’ license and Social Security numbers for parolees in substance use disorder treatment programs may have also been leaked. The incident was first detected last June, and the CDCR is notifying potentially impacted individuals of the breach now that the investigation has closed, although there is no evidence that the compromised data were exfiltrated.
Update on the Meta Pixel health data breach.
As we noted previously, Novant Health, a healthcare system in the US state of North Carolina, recently discovered that patients’ protected health information may have been improperly shared via the Meta Pixel (formerly Facebook Pixel) ad tracking script. The inadvertent data collection was the result of a COVID-19 vaccine promotional campaign involving Facebook ads. As Bleeping Computer explains, the Meta Pixel code was added to Novant’s site to measure the ads’ success, but an accidental misconfiguration resulted in Pixel sharing private patient data with Meta and its advertising partners. Novant has removed the Meta Pixel in May and has notified impacted individuals, but attempts to confirm that Meta has deleted the compromised data have gone unheeded. “We reached out to Meta Facebook several times and through different channels, but never got a response,” Novant stated in their advisory. It’s worth noting that a class action lawsuit has been filed against Meta and two US medical centers alleging they knowingly used Pixel to collect user data without consent.