At a glance.
- Personal vs. sensitive: two sides of the same coin?
- Victims sue Johns Hopkins over MOVEit data breach.
Personal vs. sensitive: two sides of the same coin?
In cybersecurity reporting the terms “personal” and “sensitive” are often used interchangeably to describe data, but what exactly is the difference? As Security Intelligence notes, “the primary difference between personal and sensitive data is the level of harm that can be caused by its exposure.” The EU’s General Data Protection Regulation defines personal data as any information that is “related to an identified or identifiable natural person.” Examples include name, address, phone number, email address, date of birth, and info related to work, education, or even hobbies. Sensitive data, on the other hand, is highly confidential information that could cause significant damage to the individual if mishandled. Financial information, medical records, passwords, and government-assigned identifiers like Social Security numbers all fall into this category. That said, while one piece of personal data is often not enough to trace back to a particular person, a hacker could use several personal data points to play connect-the-dots, creating a clear image of the individual. In other words, although personal data is often available to the public on platforms like Facebook and TikTok, these companies must take care in how they handle this info. What’s more, personal data can be classified as sensitive when it falls under specific categories that could impact an individual’s privacy, security, or fundamental rights. Generally speaking, personal data becomes sensitive when it relates sensitive info (for instance, race, ethnicity, religious beliefs, or political opinions); when the exposure of the data could cause harm, discrimination, stigmatization, or significant impact on an individual’s rights; or when it has the potential to cause substantial harm like identity theft or financial fraud.
Victims sue Johns Hopkins over MOVEit data breach.
New victims of the mass-hack of the popular MOVEit file transfer application seemingly appear every day, and with any massive data breach, it’s only a matter of time before lawsuits follow. Johns Hopkins University and Johns Hopkins Health System have been hit with two lawsuits alleging that they failed to adequately secure the protected health info of patients exposed by the breach. Johns Hopkins has confirmed that individuals’ names, addresses, dates of birth, and Social Security numbers were stolen in the attack, but, as the investigation is still ongoing, has not yet disclosed how many staff members, students, and patients were impacted. In one lawsuit, the plaintiff claims the attackers made off with the sensitive data of possibly hundreds of thousands of individuals and alleges Johns Hopkins “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures to ensure that Plaintiff’s and Class Members’ PHI/PII was safeguarded. The suit also claims the defendants failed to “follow applicable, required and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use” and broke the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule by delaying breach notifications without good reason. The second suit alleges negligence, negligence per se, breach of fiduciary duty, breach of confidence, intrusion upon seclusion/invasion of privacy, breach of implied contract, and unjust enrichment. Both suits claim class members suffered injury in the form of time and money spent seeking to protect the stolen data from fraud, and they seek damages and injunctive relief. The HIPAA Journal predicts that the outcome of the cases will likely depend on whether concrete injury can be proven to be connected to the breach.