At a glance.
- The FTC rules against Chegg in data breach lawsuit.
- A trio of third-party health data breaches.
- Bugs found in OpenEMR.
- UK’s IPT says MI5 mishandled personal data.
The FTC rules against Chegg in data breach lawsuit.
EdScoop reports that the US Federal Trade Commission (FTC) has ordered California education technology provider Chegg to improve its security practices. As we previously noted, the FTC filed a complaint against Chegg last year for failing to adequately protect the personal information of its customers and employees, which resulted in four data breaches impacting more than 40 million users. On Friday, FTC commissioners voted unanimously in favor of finalizing an order that directs Chegg to take various steps to better secure its data. The steps include limiting the data the company collects and stores, introducing multifactor authentication options, and allowing users to access their data and delete it if they choose. Chegg has been given ninety days to develop a comprehensive information security plan. Director of the FTC’s Bureau of Consumer Protection Samuel Levine, stated, “Chegg took shortcuts with millions of students’ sensitive information. Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end.”
A trio of third-party health data breaches.
Healthcare IT News offers details on several recent third-party data breaches impacting the health sector. mscripts, a cloud-based mobile pharmacy platform based in the US state of California, has informed the Department of Health and Human Service that the protected health information of 66,372 individuals was exposed when an intruder gained unauthorized access to the company’s data. The company, which is owned by Cardinal Health, has partnerships with clients like Kmart, Wegmans, Intermountain Healthcare, and Banner Health. Though mscripts and Cardinal Health have not posted data breach notices to their websites, the Office for Civil Rights has the breach listed in its “under investigation” list.
UCHealth, a healthcare provider located in the US state of Colorado, posted on its website that a data breach occurred at Diligent, a firm that provides hosting services to UCHelath. According to the post, Diligent reported to UCHealth that Diligent’s software was accessed and attachments were downloaded including UCHealth files." While electronic medical records and email systems were not impacted, "some of UCHealth’s patient, provider or employee data may have been included in this incident" and just under 50,000 individuals were impacted.
As we previously noted, email marketing service provider Mailchimp recently disclosed that an unauthorized actor had compromised administration tools and accessed 133 customer accounts. A number of medical practice management applications and mail marketing service providers for doctors and providers work with Mailchimp, and this is the second social engineering attack the company has experienced in the past six months. As a result, the Health Sector Cybersecurity Coordination Center issued a warning telling healthcare organizations to be on the lookout for phishing campaigns stemming from the breach.
Bugs found in OpenEMR.
Remaining on the topic of healthcare breaches, SonarSource researcher Dennis Brinkrolf discovered three (now patched) critical vulnerabilities in OpenEMR, an open-source electronic health record system. Used by over 100,000 medical providers and serving more than 200 million patients all over the world, OpenEMR is supported by a nonprofit and is maintained by hundreds of volunteers and professionals. Help Net Security notes that OpenEMR’s open source nature makes it easy for researchers to probe it for security issues. The first of the three bugs could allow an intruder to leverage a rogue MySQL server to read sensitive files from an OpenEMR instance like certificates, passwords, tokens, and backups. The other two could be used to hijack an open, vulnerable OpenEMR instance. The vulnerabilities were promptly patched upon detection in November 2022.
UK’s IPT says MI5 mishandled personal data.
The Investigatory Powers Tribunal (IPT), an independent body that investigates complaints against the UK's security services, has ruled that staffers at spy agency MI5 improperly stored individuals’ intercepted data for nearly five years. As Computing notes, the case is the latest in a series of lawsuits filed by charity Privacy International and human rights group Liberty against MI5 for alleged illegal surveillance practices. This suit focused on a group of laws privacy activists affectionately call the Snooper's Charter, which grant state agencies legal authority to acquire and retain people's personal information as long as they adhere to tight data handling and storage guidelines.
The IPT determined that at least one of MI5’s technological systems lacked sufficient retention, review and deletion (RRD) measures. "The holding and handling of data in those circumstances was unlawful on the basis that, under the relevant provisions of RIPA and IPA, satisfactory safeguards relating to RRD were not in place," the tribunal said. However, IPT rejected a broader challenge and declined to force MI5 to delete any unlawfully retained data, stating that doing so would be "very damaging to national security." Caroline Wilson Palow, legal director at Privacy International, said of the verdict, "UK intelligence agencies seriously intrude on thousands or even millions of people's privacy, we call them out, then the government promises better safeguards. Today's ruling is especially troubling because it confirms that those safeguards can be illusory.”