At a glance.
- California healthcare provider faces data breach lawsuit.
- US OPM reaches settlement for 2015 data breach.
- A look at the CCPA.
- Updates on the Horizon Actuarial Services ransomware attack.
- The California State Bar breach and third-party risk.
California healthcare provider faces data breach lawsuit.
The Times-Standard reports that a class-action lawsuit has been filed against Northern California healthcare provider Partnership HealthPlan of California for a 2021 data breach that impacted up to 850,000 individuals. The plaintiff claims that Partnership HealthPlan failed to protect sensitive user data and neglected to inform its users of the breach in a timely fashion. A partner at Janssen Malloy, the law firm that filed the lawsuit, explained, “The suit really is about Partnership HealthPlans’ method of storing their enrollees' individually identifiable medical information, and how they stored that and whether or not they took all reasonable steps to protect folks’ privacy and keep that information secure from hackers.” Making matters worse, the healthcare organization allegedly waited almost a year after discovery before notifying the victims.
US OPM reaches settlement for 2015 data breach.
A $63 million settlement has been reached in the class-action lawsuit filed over the 2015 data breach of the US Office of Personnel Management (OPM) that exposed the data of over 21 million current, former, and prospective federal employees and families members, the Epoch Times reports. The files were allegedly stolen by China-backed hackers, who exfiltrated highly sensitive information such as fingerprints and psychological and emotional health histories, and it is reported that the Chinese government has been using data from such breaches to build a database on American citizens for political and economic espionage. The agreement explains, “The settlement is the result of extensive negotiations and accounts for the unique aspects of this litigation, including the strict limitation on recovering from the Government and the causation problems that Defendants would have argued result from the hack’s attribution to a foreign state actor…That these data breaches were attributed to the Chinese government, apparently motivated by foreign policy considerations, would have compounded the risks associated with tracing plaintiffs’ harm to [OPM].” Under the settlement, which is still awaiting approval from a federal judge, OPM will pay $60 million and OPM contractor Peraton will pay $3 million into a fund for victims of the hack.
A look at the CCPA.
Forbes offers a quick overview of the California Consumer Privacy Act (CCPA), established in 2018 by the US state of California to regulate how businesses collect, use, and share the personal data of California residents. All organizations, regardless of location, must adhere to the CCPA when dealing with consumers residing in California. Essentially, the CCPA safeguards California residents against the sale or disclosure of their personal information to third-party associates, and any for-profit company with an annual revenue of over $25 million that handles the personal information of at least 50,000 California residents is required to follow the CCPA. Non-compliance can result in financial penalties, so suggestions for compliance include placing a brief description of consumers’ rights in the website’s privacy policy, clearly communicating and regularly updating the list of personal information that is being collected, and allowing users an easy way to opt-out of having their data sold to a third-party.
Updates on the Horizon Actuarial Services ransomware attack.
Horizon Actuarial Services LLC, a provider of actuarial and administrative services to benefit plans, was hit with a ransomware attack last November, and the number of victims impacted continues to climb, TechTarget reports. The initial notification stated just two customers were affected by the breach, but in its most recent filing to the Maine attorney general's office, Horizon stated that the number of compromised individuals has risen to 1,312,212. This includes thirty-three organizations, from small bakeries to international plans like the Major League Baseball (MLB) Players Benefit Plan and the National Hockey League Players Association Health and Benefits Fund.
PlanSponsor adds that the breach has resulted in a lawsuit in which Horizon has been accused of neglecting to properly secure sensitive personally identifiable customer information, and the suit alleges that an even greater number of customers were impacted. “Defendant determined that the unauthorized actor accessed and exfiltrated the PII of more than 2,537,261 current and former Horizon customers, including that of plaintiff and class members,” the lawsuit states. As well, despite detecting the breach in November 2021, Horizon waited until January to begin notifying the customers, and the lead plaintiff says he did not receive his notification until April, nearly five months after the breach.
The California State Bar breach and third-party risk.
As the California State Bar deals with its data breach, Tim Erlin, VP of strategy at Tripwire, observed that the incident illustrates third-party risk: “Anytime an organization utilizes a third-party service for data storage or processing, it’s vitally important to validate the security and configuration of that third party. In this case, an aggregator of public records became the point of exposure for sensitive data owned by the state, but ultimately controlled by a third-party who failed to secure it. Notification of those affected is important, but establishing a clear process so that this type of incident doesn’t occur again is vital.”