Colorado Privacy Act Passed and Awaits State Governor’s Signature
Jun17

Colorado Privacy Act Passed and Awaits State Governor’s Signature

Colorado has joined California and Virginia in passing a comprehensive data privacy law to protect state residents. It has taken several amendments to get the Colorado Privacy Act over the line, but the Act was finally passed unanimously by the state Senate on June 8, 2021 and now awaits the signature of state governor Jared Polis. The Colorado Privacy Act applies to all data controllers that conduct business in Colorado that control or process the personal data of 100,000 or more Colorado resident consumers in a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado resident consumers. Exceptions include protected health information collected, processed, or stored by HIPAA-covered entities and their business associates, and any personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), data regulated by the Children’s Online Privacy Protection Act of 1998 (COPPA), and individual[s] acting in a commercial or...

Read More
Connecticut Legislature Enhances Data Breach Notification Law
Jun17

Connecticut Legislature Enhances Data Breach Notification Law

The Connecticut legislature has enhanced its data breach notification law, expanding the definition of personal information and shortening the maximum time frame for issuing breach notifications. The new law brings the data breach notification requirements in the state of Connecticut in line with those of other states that have recently updated their own privacy and security laws. The new data breach notification law was unanimously passed by the House of Representatives and the Senate and now awaits state Governor Ned Lamont’s signature. “Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved,” said Attorney General William Tong. “This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,” Previously, notification letters were only required for breaches of an individual’s first name or initial...

Read More
Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach
Jun16

Arizona Asthma and Allergy Institute Notifies 70,372 Patients About Data Breach

Arizona Asthma and Allergy Institute has issued breach notification letters to 70,372 patients who received services between October 1, 2015 and June 15, 2020. According to the breach notice, a range of their personal and protected health information including names, patient ID numbers, provider names, health insurance information, and treatment cost information was exposed online under the name of a different organization for a brief period in September 2020. After being alerted about the exposed data, a third-party forensics company was engaged to investigate the breach. The investigation concluded on March 8, 2021 and confirmed that protected health information had been exposed. According to databreaches.net, which contacted Arizona Asthma and Allergy Institute to alert them about the breach, this was a ransomware attack by the Maze ransomware operation. Sensitive data obtained in the breach had been posted to the Maze Group’s data leak site for a short period in September under the name Medical Management Inc. Stillwater Medical Center Investigation Security Breach Stillwater...

Read More
SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals
Jun16

SEIU 775 Benefits Group Data Breach Impacts 140,000 Individuals

A benefits administrator for home healthcare and nursing home workers, Service Employees International Union 775 (SEIU 775) Benefits Group, has experienced a cyberattack that resulted in the deletion of sensitive data. IT staff detected anomalies within SEIU 775’s data systems on or around April 4, 2021, which included the deletion of certain data. An investigation was launched into the malicious activity, led by third-party cybersecurity experts and forensic consultants. The investigation confirmed that its systems had been hacked and the data of unknown individuals had been deleted, including personally identifiable and protected health information. While information was deleted, no evidence was found to indicate any PII or PHI was viewed or acquired by the attackers and there have been no reported cases of misuse of data. Data potentially compromised included names, addresses, and demographic data along with Social Security numbers and potentially health plan eligibility information. Upon discovery of the malicious activity, steps were immediately taken to prevent further...

Read More
Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys
Jun15

Avaddon Ransomware Operation Shuts Down and Releases Decryption Keys

The Avaddon ransomware-as-a-service operation was shut down on Friday and the threat group released the decryption keys for all victims. Bleeping Computer was sent an email with password and a link to a password protected ZIP file that contained the private keys for 2,934 Avaddon ransomware victims. The keys were confirmed as legitimate by Emsisoft and Coveware, with the former now having released a free decryptor that can be used by all Avaddon ransomware victims to decrypt their files. Avaddon is a relatively new ransomware-as-a-service operation which started up in March 2020. The threat group behind the operation recruited affiliates to conduct attacks and provided them with a portal through which they could generate copies of the ransomware to conduct their own attacks. All ransoms generated were then shared between the affiliate and the RaaS operator. It is not uncommon for RaaS operations to suddenly stop and release the keys for victims that have not yet paid, but the timing of the shut down suggests the RaaS operator may have got nervous with the increased focus of...

Read More