Alcohol addiction treatment firm caught by Federal Trade Commission disclosing health data for advertising…

April 12, 2024

If there is any doubt about the value of health data and the importance of maintaining strict security look no further than the Federal Trade Commission’s (“FTC”) action against Monument Inc, a New York based alcohol addiction center for selling its users personal health data to, amongst others, Meta and Google without their consent. Under the agreed consent order Monument is banned from disclosing health data for advertising and must obtain consent before sharing for any other purpose. That however is only the tip of a very big administrative iceberg that Monument has to navigate around.  The FTC, as per its usual practice, has set down obligations for implementing procedures and taking action and being monitored by an assessor.  The enforceable undertakings are far better drafted and more encompassing that those, few, undertakings issued by the Information Commissioner.  They are useful to read because they contain clauses that could be incorporated into contracts, terms of settlement and, perhaps if the Information Commissioner became more active, the regulator could use.

The statement from the FTC provides:

The Federal Trade Commission has taken action against an alcohol addiction treatment service for allegedly disclosing users’ personal health data to third-party advertising platforms, including Meta and Google, for advertising without consumer consent, after promising to keep such information confidential.

As part of a proposed order settling the FTC allegations, New York-based Monument, Inc. will be banned from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. Read the rest of this entry »

Diabetes WA reveals significant data breach, one of many and increasing number of health data breaches worldwide

April 6, 2024

On 2 April 2024 Diabetes WA announced a data breach in a quite cryptic statement. It refers to “some of our contacts” which covered names, addresses and medical number and type of diabetes, amongst other information. Diabetes WA recommend getting replacement Medicare card numbers. It is reported by itnews with Diabetes WA reveals data breach. The breach occurred through a compromised account and Diabetes WA believe the breach involved those persons using the telehealth services.  Even with a limited attack the data available to the intruder was significant.

Data Breach today reports in Health Data Thefts Keep Coming; Millions Affected in 2024 that the US Department of Health and Human Services had 174 health data breaches in the USA involving 16.6 million individuals since the beginning of this year.

Health remains a key focus for attackers because health services collect and store vast troves of personal information.  That said, the level of complacency by hospitals and health services is quite high and the willingness to spend on proper data security, quite low.

The Diabetes WA notification provides:

Diabetes WA recently experienced a cyber incident, which resulted in a third-party gaining access to the personal information of some of our contacts.

This breach was quickly detected and fully contained. It is under investigation through Diabetes WA’s Cyber Security Response Plan.

We can confirm that no detailed medical records or detailed clinical information were accessed.

Diabetes WA has sent a communication to all affected individuals of this incident.  We have also notified the Office of the Australian Information Commissioner of this incident.

Based on our investigation, we understand that personal information may have been affected by the incident including the following details:

Name –  Address – DOB – Email – Telephone number – Marital Status – Aboriginal Status – Medicare Number – Referring doctor – Type of diabetes

We have taken decisive action to protect data we hold in this cyber incident and will further reinforce our technology security measures to protect us from potential future attacks.

We recommend that those affected apply for a replacement Medicare card number from Services Australia. Your replacement card will have a new issue number and expiry date and your old card will no longer be valid. You can do this by:

    • Signing in to your myGov account, selecting “Get a Replacement” and following the prompts; or
    • Calling Services Australia on 132 011.

Some further steps you may consider taking to protect yourself include:

    • Be aware of emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, email address, username or passwords which are often used to verify your identity).
    • Contact IDCare on 1800 595 160 or visit www.idcare.org who can provide you with additional guidance on the steps you can take to protect yourself from identity fraud.
    • If you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers You can also contact your service provider and request to change your number.

The itnews report on the Diabetes WA data breaches Read the rest of this entry »

Westminster honeytrap scandal an example of spearphishing and damaging breach of privacy

The ever expanding story of a senior Tory getting caught up in a sexting scandal and sharing private phone numbers highlights the dangers and impacts of spear phishing and the breach of privacy in passing on confidential phone numbers. The Times and others report that a Senior Tory MP in the UK, William Wragg, gave out personal phone numbers because he was compromised in a honeytrap. The result was that at least 12 people received unsolicited Whats App messages. The Times has run a series of stories on this leading off with Senior Tory admits leaking MPs phone numbers in honeytrap sext scandal. It seems that Wragg was compromised by someone he met on Grindr, a gay dating app. He appears to be a victim of spear phising which is helpfully described by the Times here.

Recent data breaches have focused on cyber attacks and malware.  But someone disclosing personal information belonging to other people without their consent or relevant to the purpose for which it was created is a data breach.  In this case it involved private contact details.  The circumstances surrounding why the information was Read the rest of this entry »

US Federal Communications Commission updates, and beefs up its data breach notification rules on 13 March 2024…the US is moving more in line with the EU and Australia continues to languish in this area

March 27, 2024

Mandatory data breach notification rules are becoming standard in most first world jurisdictions. Over time the obligations upon affected entities have tightened. That is good policy given the way that hackers operate. The US Federal Communications Commission (“FCC”) has updated Data Breach Notification Rules. These updated rules obviously do not apply in Australia.  That said they are very useful to consider because they are so much more detailed and analytical than the Australian equivalents.  It is a very useful resource when considering how to deal with data breaches and how to properly structure a notification.

The media release relevantly provides:

It has been sixteen years since the Federal Communications Commission last updated its policies to protect consumers from data breaches.  Sixteen years!  To be clear, that was before the iPhone was introduced.  There were no smart phones, there was no app store, there were no blue and green bubbles for text.  It was a long time ago.  In the intervening years a lot has changed about when, where, and how we use our phones, and what data our providers collect about us when we do.  But not the FCC’s data breach rules; they remain stuck in the analog age. 

Today we fix this problem.  We update our policies to protect consumers from digital age data breaches.  We make clear that under the Communications Act carriers have a duty to protect the privacy and security of consumer data. 

First, we modernize our data breach rules to make clear they include all personally identifiable information.  In the past, these rules have only prohibited the disclosure of information about who we call and when.  But consumers also deserve to know if their carrier has disclosed their social security number or financial data or other sensitive information that could put them in harm’s way.  We fix that today—and it is overdue.  Read the rest of this entry »

Victorian Legal Services Commissioner publishes Minimum Cybersecurity Expectations

Legal practitioners hold enormous amounts of personal and other sensitive information. They are key targets of hackers. Just ask HWL Ebsworth. It is now the subject of an Information Commissioner investigation.

The Victorian Legal Services Board and Commissioner has set out the minimum cybersecurity expectations of practitioners. For those practising privacy law the expectations are well known and, if anything, a very bare minimum.  They are a good start.  Firms should use this standard as a base upon which they should implement further privacy and cyber security controls which suit the operations of the firm.  That means giving thought to what data is gathered, used and stored and the best way of protecting that data. 

The Commissioner’s expectations provide:

To help law practices protect their clients’ data and meet their legal and ethical obligations, the following tables set out minimum cybersecurity expectations. They also list examples of unacceptable cybersecurity practices that we consider capable of amounting to unsatisfactory professional conduct (UPC) or professional misconduct (PM).

Law practice principals should use the tables below as a guide to the basic system and behavioural controls you need to implement. This includes the critical system controls without which your practice is most vulnerable. If there are any critical controls that you are yet to implement, these should be your highest priority.

System controls and behavioural controls are two types of cybersecurity measures to protect information systems and data: Read the rest of this entry »

The Victorian Legal Services Board and Commissioner has set out the minimum cybersecurity expectations of practitioners. For those practising privacy law the expectations are well known and, if anything, a very bare minimum.  They are a good start.  Firms should use this standard as a base upon which they should implement further privacy and cyber security controls which suit the operations of the firm.  That means giving thought to what data is gathered, used and stored and the best way of protecting that data. 

The Commissioner’s expectations provide:

To help law practices protect their clients’ data and meet their legal and ethical obligations, the following tables set out minimum cybersecurity expectations. They also list examples of unacceptable cybersecurity practices that we consider capable of amounting to unsatisfactory professional conduct (UPC) or professional misconduct (PM).

Law practice principals should use the tables below as a guide to the basic system and behavioural controls you need to implement. This includes the critical system controls without which your practice is most vulnerable. If there are any critical controls that you are yet to implement, these should be your highest priority.

System controls and behavioural controls are two types of cybersecurity measures to protect information systems and data: Read the rest of this entry »

Australian Signals directorate “partners” with Microsoft to develop a yber Threat Intelligence Sharing (CTIS) plug-in for the Microsoft Sentinel platform

March 21, 2024

On March 20, 2024, the Australian Signals Directorate (ASD) announced that it had partnered with Microsoft to develop a Cyber Threat Intelligence Sharing (CTIS) plug-in for the Microsoft Sentinel platform. The CTIS is a two-way sharing platform enabling government and industry partners to receive and share information about malicious cyber activity.

Businesses using Sentinel can join and contribute to this CTIS platform as long as they become an ASD Cyber Security Network Partner.

Microsoft is no stranger to data breaches. Hackers breached its Exchange Online accounts in November 2023. In 2022 a misconfigured Microsoft server exposed some of its customers’ sensitive information. There have been other data breaches which is not surprising given Microsoft is a ubiquitous system used by many businesses in first world countries and there have been many vulnerabilities in its systems over the years. Similarly governments haven’t been Read the rest of this entry »

Three staff investigated into Princess of Wales data breach

The Times reports that investigation into a data breach, involving the Princess of Wales’ medical records at the London Clinic has zoned in on 3 staff. And the Information Commission has received a breach report and is investigating as well. The story has been picked up by the Australian with Three hospital staff ‘tried to access Princess of Wales’s records’. Initially one person was suspected of creating a data breach.  That has expanded to three.  That is not unusual.  In cases where people seek out salacious information or photographs the desire to share seems to be difficult to resist.  That occurred when photos of Dani Laidley were inapopriately taken in a police station and then sent to other police officers.  

Data breaches involving snooping into medical records are a chronic problem in hospitals.  But they can be minimised if there are proper systems in place.  And top of the list is requiring anyone to access records to have authorisation and sign in before they can view records.  That creates a trail and may allow the system to alert IT when someone without authorisation has accessed those records or is trying to.  It is not foolproof as those determined can use other’s authorisation but even then there are ways of dealing with that.  It is no less a problem in my experience in Australia than in the UK.  Given the regulation is Read the rest of this entry »

London Clinic investigates a data breach involving snooping into Princess of Wales’ records by staff while she was a recent patient. A depressingly familiar story that can only be remedied with proper privacy and data security practices..and consequences for breaches.

March 20, 2024

Hospital staff checking out records of the rich and famous is a depressingly common occurrence. It is a serious data breach. I have been posting on, only some, of these instances such as Data breach at the Alfred by curious pharmacist is just another in a long line of data breaches in the health sector last year and Privacy concerns regarding data breaches in the health system, hospitals in particular in 2014. There are many others such as Perth Hospital staff snooped on 40 patients’ records in 2018. There are challenges in the hospital system keeping records secure and away from prying eyes. There is usually a large number of staff with significant churn.  Properly training new staff and providing refresher training requires good administration.  Health professionals are Read the rest of this entry »

UK Information Commissioner reprimands more police services. This time it is the Dover Harbour Board and Kent Police

March 19, 2024

Police breaching privacy is almost a cliche. The Victorian Police had a sub specialty for years in misusing the LEAP database.  In the UK the Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police for breaches of privacy.  Those breaches related to the use of the social media app, WhatsApp, and instant-messaging service, Telegram, on personal phones to share information. The personal information was being shared in the group without appropriate safeguards in place.

This is a widespread problem.  Encrypted social media messaging havw been used by politicians and officials doing government business to do communicate, and do business, away from official means of communications.  The problem with  social media messaging apps on personal devices is that it avoids the necessary oversight supervisors and managers should have.   For example while Prime Minister Malcolm Turnbull used Wickr adn Confide outside of the federal parliament’s system when communicating with colleagues and journalists. He claimed not to have used the systems to send classified government information. But, as Mandy Rice Davies said after hearing Lord Astor had denied having sex with her “He would, wouldn’t he.” 

Regarding Dover Board the reprimand relates to the use of  WhatsApp and then Telegram.  The reprimand relevantly Read the rest of this entry »

Massive data breach at Kids Empire in the United States involving 2,300,000 records exposed. Not that Australia can be too smug or complacent. There were 2 significant, reported, data breaches in March

Kids Empire has suffered a data breach involving the public exposure of 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, receipts with partial credit card numbers and transaction details, digital gift cards with no expiration date, source images for websites and templates. The database remained publicly accessible for at least three weeks before it was finally restricted. The data exposure is a privacy breach because it revealed personally identifiable information including names, physical and email addresses, phone numbers, and details about the reservations.

In March Australian companies have had two significant data breaches; GaP Solutions has been hit by a LockBit ransomware attack and the Black Basta gang has posted Australian passports and driver’s licences on dark web which it says it obtained from australiantextiles.com.au, ausweave.com.au, bartgroup.com.au, bruck.com.au, opt.net.au, wilsonfabrics.com, knoxbridge.com.au, novaemployment.com.au, primrose.co.uk, xenit.com.au, advancedcs.com.au, therose.pub, localbar.com.au.

The article about GaP Solutions Read the rest of this entry »

Kids Empire has suffered a data breach involving the public exposure of 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, receipts with partial credit card numbers and transaction details, digital gift cards with no expiration date, source images for websites and templates. The database remained publicly accessible for at least three weeks before it was finally restricted. The data exposure is a privacy breach because it revealed personally identifiable information including names, physical and email addresses, phone numbers, and details about the reservations.

In March Australian companies have had two significant data breaches; GaP Solutions has been hit by a LockBit ransomware attack and the Black Basta gang has posted Australian passports and driver’s licences on dark web which it says it obtained from australiantextiles.com.au, ausweave.com.au, bartgroup.com.au, bruck.com.au, opt.net.au, wilsonfabrics.com, knoxbridge.com.au, novaemployment.com.au, primrose.co.uk, xenit.com.au, advancedcs.com.au, therose.pub, localbar.com.au.

The article about GaP Solutions Read the rest of this entry »

Kids Empire has suffered a data breach involving the public exposure of 2,363,222 documents in.PDF and.PNG formats with a total size of 92.3 GB. These included reservations, injury waivers, receipts with partial credit card numbers and transaction details, digital gift cards with no expiration date, source images for websites and templates. The database remained publicly accessible for at least three weeks before it was finally restricted. The data exposure is a privacy breach because it revealed personally identifiable information including names, physical and email addresses, phone numbers, and details about the reservations.

In March Australian companies have had two significant data breaches; GaP Solutions has been hit by a LockBit ransomware attack and the Black Basta gang has posted Australian passports and driver’s licences on dark web which it says it obtained from australiantextiles.com.au, ausweave.com.au, bartgroup.com.au, bruck.com.au, opt.net.au, wilsonfabrics.com, knoxbridge.com.au, novaemployment.com.au, primrose.co.uk, xenit.com.au, advancedcs.com.au, therose.pub, localbar.com.au.

The article about GaP Solutions Read the rest of this entry »

Verified by MonsterInsights