At a glance.
- Money Message takes responsibility for PharMerica breach.
- SchoolDude education platform suffers data breach.
- CNIL penalizes Clearview AI for noncompliance.
Money Message takes responsibility for PharMerica breach.
US long-term care pharmacy solution provider PharMerica has disclosed it suffered a data breach that exposed the data of over 5.8 million individuals. The company says an unauthorized individual infiltrated their systems on March 12 and 13, and the compromised data includes names, addresses, birth dates, Social Security numbers, health insurance, and medication information. SecurityWeek reports that the Money Message ransomware group, a relatively new cyber gang, has taken credit for the breach and in April began publishing the data allegedly stolen during the attack. The cybercriminals say they encrypted almost all of PharMerica’s infrastructure and that they had communicated with the company to negotiate a ransom (which PharMerica apparently did not pay, if Money Message’s actions are any indication). While publicly acknowledging that an attack did occur, PharMerica has not confirmed that ransomware was involved. SC Media notes the breach is the largest reported by a single healthcare entity this year.
Industry experts commenting on the incident see it as an unusually large breach whose effects will be far-reaching. Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote: "This is a devastating data breach both in terms of size and the severity of what was leaked. The Social Security and health insurance information pose the most immediate threat. They could be used for identity theft and medical benefits fraud, respectively. Identity thieves could try to open lines of credit in the names of the deceased, who obviously aren't going to check their credit reports. That puts the onus of responsibility on relatives, who could be on the hook for the deceased's debts. I suspect this attack disproportionately affects the elderly as well, whom are frequently targeted by fraud. Patients could further be targeted with any number of scams and phishing attacks. Our analysis shows 711 medical data breaches occurred in 2021, affecting 45.4 million records."
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, said: "This data breach is huge, and will definitely lead to issues for the customers affected by the breach. Since much of the purloined data is connected to deceased individuals, relatives will need to stay alert for accounts opened in their deceased loved one's name, while still living customers affected by the breach will want to stay similarly alert for attempts to open new accounts in their name, while also staying alert for phishing attempts using the stolen information. As senior citizens make up a large number of pharmaceutical customers, they and their caretakers will also need to stay alert for phishing attempts."
SchoolDude education platform suffers data breach.
Last week intelligent asset management solutions provider Brightly Software began informing approximately three million current and former users of its SchoolDude online platform that their personal data might have been compromised in an April breach, SecurityWeek reports. SchoolDude offers various software solutions for educational institutions and technology professionals, and in the notification letter Brightly says an unauthorized party obtained “certain account information from the SchoolDude user database” including names, email addresses, phone numbers, school district names, and account passwords. A password reset has been initiated for all users, and an investigation is underway.
CNIL penalizes Clearview AI for noncompliance.
In October 2022 French data protection regulator CNIL fined Clearview AI €20,000,000 for its use of scraped images to populate its facial recognition software. CNIL argued that its data scraping processes amounted to collecting biometric data, which is considered personally identifiable information, without the subjects’ consent. As well, CNIL was found to be holding on to that collected data for more than a year without giving subjects the ability to delete their images. In addition to the fine, CNIL ordered Clearview AI to immediately cease the collection of images in France and delete any French data already acquired. Now, more than six months later, Naked Security reports that Clearview AI has made no effort to comply with CNIL’s ruling, and CNIL has responded by enacting a clause in the settlement that allows for fines of up to €100,000 for every day the company refuses to act. CNIL stated, “Clearview AI had two months to comply with the order and justify compliance to the CNIL. However, the company did not send any proof of compliance within this time limit. On 13 April 2023, [CNIL] considered that the company had not complied with the order and consequently imposed an overdue penalty payment of €5,200,000.”