UnitedHealth says data of 100 million stolen in Change Healthcare breach
- UnitedHealth has confirmed that a significant data breach involving its subsidiary Change Healthcare has affected over 100 million individuals, making it one of the largest healthcare data breaches in recent history.
- This breach was initially reported following a February ransomware attack orchestrated by the BlackCat (ALPHV) ransomware gang, which exploited vulnerabilities in the company’s Citrix remote access service that lacked multi-factor authentication.
- The breach exposed a wide array of sensitive information, including: Health insurance details (e.g., policy numbers, member IDs), Medical records (e.g., diagnoses, treatment histories), Billing information (e.g., claim numbers, payment details), Personal identifiers (e.g., Social Security numbers, driver’s licenses)
- The U.S. Department of Health and Human Services updated its records to reflect the scale of the breach, confirming that Change Healthcare had sent notifications to approximately 100 million individuals regarding the incident.
Henry Schein discloses data breach a year after ransomware attack
- Henry Schein has reported a significant data breach affecting over 160,000 individuals due to two cyberattacks by the BlackCat ransomware gang in 2023.
- Approximately 35 TB of sensitive files were stolen during these incidents.
- The first attack prompted the company to take systems offline on October 15, disrupting manufacturing and distribution operations.
- The BlackCat gang claimed responsibility and threatened further encryption of the network if their ransom demands were not met.
- A second attack occurred on November 22, with some stolen data released on the gang’s leak site.
- In a notification to the Maine Attorney General, Henry Schein confirmed that 166,432 people’s personal data was compromised.
- The company has engaged an external firm to assess the breach and is offering a free 24-month membership to Experian’s IdentityWorksSM for credit monitoring and fraud detection to those affected.
Insurance admin Landmark says data breach impacts 800,000 people
- Landmark Admin has reported a data breach affecting over 800,000 individuals due to a cyberattack detected on May 13, 2024.
- The company, which provides administrative services for insurance carriers, shut down its IT systems to contain the incident and engaged a third-party cybersecurity firm to investigate.
- The investigation revealed that the attackers accessed files containing sensitive personal information of 806,519 people, including names, addresses, Social Security numbers, driver’s license numbers, financial account details, medical information, and health insurance policy numbers. Affected individuals will be notified by mail regarding the specific information compromised.
- Landmark has not yet identified the responsible threat actors or confirmed whether the attack involved ransomware or data theft. The investigation is ongoing, and impacted individuals are advised to monitor their credit reports and bank accounts for any suspicious activity.
Data leaks: Irdai directs two insurers to conduct IT systems audit
- The Insurance Regulatory and Development Authority of India (Irdai) has directed two unnamed insurers to conduct audits of their IT systems due to recent data leaks affecting policyholders.
- This action follows a breach admitted by Star Health Insurance, while the second insurer’s identity remains undisclosed.
- Irdai is actively engaging with the management of these companies to address vulnerabilities and ensure the protection of policyholders’ interests.
- The insurers have been instructed to appoint independent auditors for a comprehensive review of their IT systems to eliminate vulnerabilities.
- The affected insurers have isolated the compromised systems and enlisted external IT security firms for root cause analysis. Vulnerabilities identified in the audit are being addressed, and preventive measures are being implemented, including system upgrades and rectification of API vulnerabilities.
LinkedIn Fined More Than $300 Million in Ireland Over Personal Data Processing
- Ireland’s Data Protection Commission (DPC) has fined LinkedIn €310 million (approximately $335 million) for serious violations of the European Union’s General Data Protection Regulation (GDPR).
- The fine stems from LinkedIn’s failure to obtain valid consent from users for processing their personal data to deliver targeted advertising, which the DPC determined was neither “freely given” nor “informed” as required by GDPR standards.
- The investigation, initiated in 2018 following a complaint from the French digital rights organization La Quadrature du Net, revealed that LinkedIn improperly justified its data processing practices under various legal bases, including consent, legitimate interests, and contractual necessity.
- The DPC found these justifications inadequate, emphasizing that LinkedIn did not provide clear information to users regarding their rights or the nature of data processing.
- Deputy Commissioner Graham Doyle stated that LinkedIn’s actions constituted a “clear and serious violation” of users’ fundamental rights to data protection.
- This fine is noted as one of the largest imposed under GDPR since its introduction in 2018.