In one look.
- QuestionPro threatened with data extortion after possible breach.
- Tips for complying with Australia’s data breach rules.
- Recent health data breaches in the United States.
QuestionPro threatened with data extortion after possible breach.
QuestionPro, an online market research service, has revealed that it suffered an extortion attempt in which a cyber actor threatened to release stolen data containing records for around 22 million unique email addresses unless the company remit payment in bitcoins. QuestionPro says they have not responded to the hacker’s requests and are currently investigating whether a data breach actually occurred. The prolific “pompompurin” hacker, who has claimed responsibility for several recent high-profile attacks, including the breach of the US Federal Bureau of Investigation’s law enforcement company portal and the theft of customer data from the American financial services giant Robinhood, Told BleepingComputer acquired the database in May, but another hacker appears to be behind the extortion effort. Stolen records include email addresses, IP addresses, geographic locations and other information related to QuestionPro surveys. Troy Hunt, owner of data breach notification service Have I Been Pwned, says he will add the incident to his site as an “unverified” breach, and subscribers found in the database will be notified.
Tips for complying with Australia’s data breach rules.
This year’s breach reporting period for the Australian Information Commissioner’s Office of the Data Breach Notifier program ended at the end of June. In previous years, the healthcare sector has been the most targeted by threat actors, and while this year’s official report has yet to be released, in the meantime, Lexology offers advice to healthcare organizations seeking to prevent the theft of medical information. Organizations should beware of electronic forms that automatically pre-populate information, as well as suspicious links or files. Other recommendations include training staff on recognizing phishing scams, verifying patient identities, and properly managing personal records. In order to comply with Australian Privacy Principle 11, organizations must take adequate steps to detect data breaches in a timely manner, which means monitoring systems for unusual activity, securing paper records and ensuring that the staff know how to report suspected data breaches internally.
Recent health data breaches in the United States.
US medical organizations continue to be the target of data breaches. Home healthcare provider Healthback Holdings, based in the US state of Oklahoma, suffered an email breach in June that compromised the personal data of more than 21,000 people. Becker Hospital Review reports that exposed patient data includes names, health insurance information and social security numbers.
Also Becker’s Hospital Review reports that Central Maine Medical Center revealed a cyberattack in June that led to the breach of protected health information of nearly 12,000 patients. According to the required breach notification, the hospital’s computer system was infiltrated by an unauthorized user, but it is not known what type of data was compromised.
In a statement posted on its website, First Choice Community Healthcare Inc. indicates that an unauthorized third party may have accessed personal and protected health information. The New Mexico-based health system has yet to find evidence that the data involved — which could include names, social security numbers, clinical diagnosis and treatment information, medications, and information about health insurance – were misused, but First Choice began notifying patients of the incident. BizJournals Remarks that the breach was first detected in March, when First Choice began an investigation to determine the extent of the breach. That investigation ended in June, but the exact number of people involved has not been disclosed.