A fourth class action launched against Medibank arising from its data breach

February 9, 2023

One certainty with data breaches is that the breach is just the start of an organisations problems.  The breach brings on costs of determining the extent of the damage, then dealing with the regulator if it becomes involved, notifying clients/customers, dealing with the media and shareholders and rectifying any damage caused by the breach.  That usually involves engaging technical experts, public relations people, lawyers and hours of in house work.  Then comes the class action if the breach is big enough.  

The Medibank breach is large by any measure and huge by Australian standards.  That resulted in 3 class actions being commenced last year.  And as of 7 February 2023 a fourth class action was filed Read the rest of this entry »

Federal Trade Commission commences enforcement action against GoodRx for extraordinary privacy breaches involving sharing consumer sensitive health information for advertising purposes

February 8, 2023

The Federal Trade Commission (the “FTC”) has announced enforcement action against GoodRX for a range of signficant breaches of customer’s information.  This the first time it is using its powers under the Health Breach Notification Rule.

This case highlights the temptations of monetising personal information to generate sales even if that meant disclosing personal health related information.  It also demonstrates that large operations can and often do ignore privacy and data security obligations when using data for financial gain. When the regulator takes action the flaws become very apparent and often make a bad situation much worse.
While the law differs in Australia it is very useful considering these actions because of the methodology the FTC deploys in framing their cases.  The technology is the same in Australia and the United States.  The issues are the same.

According to the FTC:

  • since  2011, GoodRx Holdings, Inc is a “consumer-focused digital healthcare platform” based in Santa Monica, California.
  • GoodRx advertises, distributes, and sells:
    • health-related products and services directly to consumers, including purported prescription medication discount products branded as “GoodRx” and “GoodRx Gold.”
    • telehealth services, branded as “GoodRx Care,” and previously as “HeyDoctor by GoodRx,” and “HeyDoctor,” through its subsidiary HeyDoctor, LLC (“HeyDoctor”) [2].
  • since at least 2017, GoodRx  promised its users that it would share their personal information, including their personal health information, with limited third parties and only for limited purposes; that it would restrict third parties’ use of such information; and that it would never share personal health information with advertisers or other third parties [3]
  • GoodRx offers a platform, available through its website (www.GoodRx.com) or mobile application (“Mobile App”), to search for and compare prescription medication pricing at nearby pharmacies, and to obtain prescription discount cards (the “GoodRx Coupon”). Since January 2017, 55.4 million consumers have visited or used GoodRx’s website or Mobile App [16]
  • GoodRx  collects:
    • users’ personal and health information, and prompts users to provide their email address or phone number, to access electronic coupons and refill reminders [19].
    • personal and health information when users register for an account, which is required for GoodRx Gold, the product charging a monthly subscription fee. [20]
    • personal and health information from PBMs. When users purchase medication using GoodRx Coupons, the PBM processes the transaction and sends a claims record to GoodRx (“Medication Purchase Data”), containing name, date of birth, and information about the prescription filled [21]

On February 25, 2020, Consumer Reports published Read the rest of this entry »

Queensland University of Technology suffers data breach involving 11,405 people

February 7, 2023

Educational institutions are prime targets for cyber attacks by state actors and criminals.  I have previously written on cyber attacks on tertiary institutions at UWAUniversity of Tasmania, Deakin University, the ANU in 2019 and 2022.  There have been many other data breaches of educational institutions in the United States and Europe.  Tertiary institutions are prime targets because they store so much personal information and intellectual property. They are especially tempting targets because tertiary institutions have poor cyber security.  The reasons are many and varied; systems cobbled together when institutions merge, too many authorisations, a failure to remove authorisations, differing protocols in different departments, a failure to encrypt data, a failure to properly silo data and, most importantly, indifferent training and inadequate funding.  Even though the attacks are regular and impact severe educational institutions remain poorly prepared.

I Having proper data security means dealing with both technical issues but also cultural problems. For too long businesses have not properly factored in the risks.  Boards and management don’t address the issues and don’t properly consider what cybersecurity risks are, and what needs to be done to protect themselves from them.  That includes promoting and developing a culture of cyber resilience.

In practical terms that includes:

  • doing an inventory of every computer system that exists across the organisation to determine if it is being properly patched, whether there is  proper user access and  multi factor authentication.
  • reviewing the type of data being held, determining where it is stored, how it is being protected and who has access to it. That exercise will expose vulnerabilities.
  • making sure there are back ups of data which are stored in a way that any data breach can’t affect that storage.
  • check whether the organisation is complying with the NIST framework.   It is not officially the standard but is as good as it gets It also adopts useful strategies when dealing with soft defence, passive defence and active defence.
  • undertaking audits and penetration testing by outside organisations. There is no substitute for testing.
  • having a data breach response plan and have exercises to determine that it works.  That means knowing who to contact when there is a data breach.

The Queensland University of Technology is the latest institutions to suffer a data breach.  It announced yesterday that the data breach affected 2492 current employees, 17 current students, 8,846 former employees  and 50 former students.  The data relating to individuals included tax file numbers and bank account details . In January it had issued a vaguer report of the data breach which it identified as a ransomware attack.

The statement provides:

QUT has identified that some data was stolen in a cybercrime attack on December 22, 2022.

Firstly, QUT is disappointed and sorry that this cybercrime has potentially impacted on our staff and former staff. It is important to note the security of our HR, student or financial systems was not compromised or accessed by the cyber criminals. We also have no evidence to date of any further illegal activity in relation to the data that may have been accessed by the cyber criminals. Read the rest of this entry »

Australian Medical Association calls for better protection of health information.

February 6, 2023

Perhaps there may be a significant improvement in privacy and data protection this year.  On Friday the Australian Medical Association called for major reform to protection patient data.  Its position paper supports applying standards and controls applied by the GDPR for privacy protection and data handling.  Much of what the AMA says is quite consistent with standards advocated by privacy practitioners and the standards that are becoming more common across the first world.  But it is significant because the AMA is quite conservative and the health industry has traditionally had a very poor privacy culture. That has led to the health industry being a prime target for hackers.

The media release provides:

In a new position statement, the AMA says the use of data must be for the public good and not present harm to individuals, the healthcare providers or the healthcare system.

AMA President Professor Stephen Robson said appropriate use of health data can enhance the provision of care for patients, improve health outcomes, increase equitable and individualised care, while minimising duplication and gaps in care.

“Effective data governance will ensure the appropriate collection and use of data and protect patient data,” Professor Robson said. Read the rest of this entry »

Medibank saga reveals that personal information of those who inquired about but did not obtain private health cover from Medibank was accessed in the data breach. Real questions over data minimisation policies of Medibank

January 24, 2023

The lesson from overseas is that the data breach is only the beginning of the problems for the affected organisation.  As the organisation and, significantly, the regulator review the carnage the investigation goes well beyond the cause of the breach and what security measures were in place and goes to issues of general data collection and handling.  Organisations with poor data security commonly have a poor understanding of data collection.  All too often organisations collect too much personal information, information that is not relevant to their operations and keep what they collect for too long, often not culling irrelevant information at all. Investigations then expand and often enough penalties accrue.  Sometimes an organisation receives a greater penalty for breaches of the data protection laws not directly related to the data breach itself. These investigations increase the time it takes to put the data breach behind the organisation, increases the cost and further harms an organisation’s reputation.  Almost invariably these other deficiencies were easily avoided with proper advice, policies, protocols and training.

The Australian Reports in Data at risk just asking for Medibank quote that Medibank that non customers of Medibank who provided personal information to Medibank in their inquiries about policies had that personal information compromised by the Medibank hack. That information includes, names gender, date of birth, email and phone details. As with many organisations there was a commercial benefit in collecting that information even if the individuals did not purchase a policy.  The information can be used for marketing and modelling.  That said, that ccollection and retention is in breach of the Privacy Act and contrary to principle of data minimisation.

Maurice Blackburn, Banister Law and Centennial Lawyers have joined together in a representative action involving as many as 9.7 million affected by the Medibank Data Breach.

The Australian article Read the rest of this entry »

ChatGP , where privacy and AI collide

Artificial intelligence (better known as AI( has been around for awhile.  AI algorithims are a key part of Google’s success, in discerning our interests and needs and ordering goods and services as part of the search engine’s operation.  Facebook and Amazzon also rely on AI in making their money, with Facebook selling ads and Amazon putting items within tantalising reach.  AI has moved to centre stage in public policy discussion because it’s use threatens to be ubiquitous.  AI, and quantum computing, will be transformative in how business is done, services are provided and decisions are made.  That is likely to be for the good but there are legitimate concerns about its untrammeled use without regulatory oversight.  It will also impact employment with the most recent example being Microsoft laying off 10,000 staff to cut costs as it focuses on AI.

In the United States there are concerns that the use of ChatGPT has the potential of breaching privacy laws. In the UK the Information Commissioner’s Office is sufficiently concerned about the use of AI that it published an article on its website titled Addressing concerns on the use of AI by local authorities,

Chat GPT is an algorithm that is vexing educational institutions as it creates realistic text which may be difficult to distinguish from human created prose. It may defy anti plaigarism software. This is well summarised by the ABC with What is ChatGPT and why are schools and universities so worried about it?   It Read the rest of this entry »

Massachusetts and Hawaii introduce privacy bills..the USA is slowly moving to proper data protection coverage through state based legislation

January 22, 2023

In the United States it is not uncommon for significant changes to originate at the state level, only later becoming part of the national legal framework.  In 2023 comprehensive consumer privacy laws take take effect in California, Colorado, Connecticut, Utah and Virginia.  California’s data privacy law is particularly strong, some say only slightly weaker than the GDPR in overall effect.

Sometime in early 2023 the Australian Commonwealth Government will release its proposed amendments to the Privacy Act.  The Government has indicated, and stronger, a significant overhaul of the Act and how privacy will be regulated.  Amendments to date have been limited and the regulation has been weak.

Reuters has an excellent piece U.S. data privacy laws to enter new era in 2023 which Read the rest of this entry »

The Commonwealth Government considering right to be forgotten as part of its Privacy Law reforms

January 19, 2023

As is the way with modern law reform the Government of the day salts the media with stories of what may be in the yet to be released package of amendments or new laws.  So it is with the mooted reforms to the Privacy Act.  The Guardian has run a detailed story titled Australia to consider European-style right to be forgotten privacy laws. The article roams widely over some of the privacy reform proposals including a statutory right to sue for breach of privacy.  It also ventures into other areas of law reform including a Judicial Commission.

The right to be forgotten is now quite a mature part Read the rest of this entry »

A Christmas Greeting…and yes there is a Santa Claus

December 25, 2022

Merry Christmas and seasons greetings to all.

As is my tradition on this page, I mark Christmas with one of the most wonderful editorials ever written, the “Yes, Virginia, there is a Santa Claus.”   This 1897 editorial by the New York Sun is the epitome of good prose; it is precise, effective, warm and clear.  Even the most hardened cynic cannot be moved by the simple plea for a belief in the better and the essence of  Christmas, its spirituality and the concept of redemption.  It is easy to scoff at such “naive” beliefs.  Every year I

The editorial took on a life of its own and is regarded as one of the great pieces of journalistic prose,.  It still attracts column inches of analysis and shameless reproduction.  Because the message is as apt today was it was over a hundred years ago.  An

Here it is:

Dear Editor,
I am 8 years old. Some of my little friends say there is no Santa Claus. Papa says, “If you see it in The Sun, it’s so.” Please tell me the truth, is there a Santa Claus?
Virginia O’Hanlon
“115 West Ninety-Fifth Street”

VIRGINIA
    Your little friends are wrong. They have been affected by the skepticism of a skeptical age. They do not believe except what they see. They think that nothing can be which is not comprehensible by their little minds. All minds, Virginia, whether they be men’s or children’s, are little. In this great universe of ours, man is a mere insect, an ant, in his intellect, as compared with the boundless world about him, as measured by the intelligence capable of grasping the whole of truth and knowledge.

    Yes, VIRGINIA, there is a Santa Claus. He exists as certainly as love and generosity and devotion exist, and you know that they abound and give to our life its highest beauty and joy. Alas! How dreary would be the world if there were no Santa Claus! It would be as dreary as if there were no Virginias. There would be no childlike faith then, no poetry, no romance to make tolerable this existence. We should have no enjoyment, except in sense and sight. The eternal light with which childhood fills the world would be extinguished.

    Not believe in Santa Claus? You might as well not believe in fairies! You might get your Papa to hire men to watch all the chimneys on Christmas Eve to catch Santa Claus, but even if they did not see Santa Claus coming down, what would that prove? Nobody sees Santa Claus, but that is no sign that there is no Santa Claus. The most real things in the world are those that neither children nor men can see. Did you ever see fairies dancing on the lawn? Of course not, but that’s no proof that they are not there. Nobody can conceive or imagine all the wonders that are unseen and unseeable in the world.

    You tear apart the baby’s rattle and see what makes the noise inside, but there is a veil covering the unseen world which not the strongest man, or even the united strength of all the strongest men that ever lived, could tear apart. Only faith, fancy, poetry, love, romance, can push aside that curtain and view and picture the supernatural beauty and glory beyond.
Is it all real? Ah, VIRGINIA, in all this world there is nothing else as real and abiding.

    No Santa Claus! Thank God! he lives and he lives forever. A thousand years from now, VIRGINIA, nay, ten times ten thousand years from now, he will continue to make glad the hearts of children.

Federal Trade Commission fines EPIC $275 million for privacy violations and requires it to refund customers another $245 million for tricking users

December 22, 2022

The Federal Trade Commission (the “FTC”) has its detractors who say it is not assertive enough.  Compared to the Australian Information Commissioner it is frenetic and hyper aggressive.  In a field where the breaches are many most regulators are subject to criticism of not doing enough.  But when the FTC takes action against a company the impact is considerable and painful for the malefactor. As the agreeement the FTC made with EPIC for its violation of the Children’s Online Privacy Protection Act.

EPIC has been fined 4275 million for collecting personal information from children under the age of 13.without parental consent.  It also enabled those children to have access to voice and text chats by default, a practice that could put them into contact with strangers.

As is the way the media has been negative for EPIC with Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy and Fortnite game maker will pay $520M to settle FTC allegations.

The statement of the FTC provides:

The FTC’s $275 million proposed settlement with Epic Games, owner of Fortnite, alleges the company violated the law by collecting personal information from kids under 13 without parental consent and by enabling voice and text chat by default – an unfair practice that put kids and teens in risky contact with strangers. But to borrow a phrase from advertisers, “But wait! There’s more!” Much, much more in the form of a separate $245 million proposed settlement with Epic Games for using digital dark patterns to bill Fortnite players for unintentional in-game purchases.

How much money can a company take in by selling virtual costumes, dance moves, and piñatas shaped like llamas? It won’t surprise Fortnite fans to hear that the answer is billions, especially when, as the FTC alleges, Epic used a host of digital design tricks – dark patterns – to charge consumers for virtual merchandise without their express informed consent. What’s more, the FTC says when people disputed unauthorized charges with their credit card company, Epic locked their accounts, depriving them of access to content they had already paid for. The proposed FTC consent order is the agency’s largest administrative settlement to date. Continue reading for some insightful – and instructive – quotes from consumers and employees who didn’t hold back about their opinions of Epic’s tactics.

For the technological Rip Van Winkles among us, Fortnite is a hit video game with more than 400 million registered users, many of whom are kids. Although people can play the basic version for free, Epic charges for in-game purchases designed to enhance game play. The FTC alleges that with millions of consumers’ credit cards conveniently in hand, Epic failed to adequately explain its billing practices to customers and designed its interface in ways that led to unauthorized charges. You’ll want to read the complaint for details, but here are a few of the dark patterns the company allegedly used.

According to the complaint, Epic set up its payment system so that it saved by default the credit card that was associated with the account. That meant that kids could buy V-Bucks – the virtual currency necessary to make in-game purchases – with the simple press of a button. No separate cardholder consent was required. And although the currency was imaginary, the charges Epic packed on to Mom or Dad’s credit card were very real. What did parents and users have to say about Epic’s methods? Here are some examples:

    • “Hello Epic Games, The charges associated with this account were made without my authorization. This account is associated with my 10 year old son’s account and I am really disappointed that there is no check and balances that alerted me of these charges, and a 10 year old can purchase coins worth almost $500 so easily.”
    • “Epic Games is swindling parents with unauthorized game purchases, tricking young consumers & using shady practices for billing. I authorized a 1-time Epic Games purchase for my 11 yr-old son, only to discover EG did NOT erase my credit card info, & thus my son has been making unauthorized purchases, racking up $140 in less than 8 days after the initial authorized purchase.”

Epic’s own Fraud and Risk Consultant expressed similar concerns internally and recommended that the company require account holders to confirm their CVV numbers before charging the card on file: “This is standard / best practice and it prevents kids from using mom’s credit card without her permission[.]” However, by the time Epic finally took that advice, the company had already billed account holders for millions of V-Bucks transactions – many of which were unauthorized, according to the FTC. Read the rest of this entry »