Password manager LastPass is still dealing with the settlement from its 2022 data breach (see Related Posts, below, for background on that), but now it has another breach to disclose. Zack Whittaker reports: Password manager maker LastPass is notifying customers that their personal information and customer support case records were stolen during a recent hack...

Source

Xsolis, Inc. is a business associate in the healthcare sector, providing utilization and case management services. They describe themselves as applying “industry-leading AI and automation to ensure appropriate care settings and accelerate collaboration across a connected network of providers and payers.” On June 19, California Attorney General’s Office posted a copy of a breach notification...

Source

Buranond Kijwatanachai reports: Private personal information of nearly 11 million people may have been leaked after a Kyushu power company lost a storage drive earlier this year. According to Asahi Shimbun, the storage drive was discovered missing on 26 May. The company insists that sensitive financial information was not leaked. On 27 April, a contractor for...

Source

Deon Guillory reports: St. George Fire Protection District No. 2 filed a lawsuit against its former IT security provider, alleging the company’s failures led to a cyberattack that compromised the fire district’s network. The lawsuit, filed March 20 in the 19th Judicial District Court, claims General Informatics LLC breached its contract and fiduciary duty by...

Source

From an FTC press release of June 5: Following a public comment period, the Federal Trade Commission finalized a modified order requiring Illuminate Education Inc. to implement a data security program, limit collection and retention of consumer data, and delete unnecessary data to settle charges that the company’s data security failures led to a major...

Source

Michel Gribouille reports: A major French health-care payments middleman says hackers broke into a key authorization portal and may have exposed sensitive personal data, including France’s equivalent of a Social Security number, setting off warnings about identity theft and scam attempts. Almerys, a company that helps process “third-party payment” transactions so patients don’t have to...

Source

If you ask most people what breach PowerSchool experienced, their first response might be the 2024 hacking incident that affected tens of millions of students. But even before that breach, there was another significant breach involving PowerSchool that began in 2021. Colin Lee and Koji Edmunds report: In early April, many students across the world...

Source

Rhode Island residents may understandably wonder about the state’s vendor security monitoring. First, it was the Deloitte and the RIBridges data breach that affected more than 730,000 residents. Now the vendor that administers the state’s workers’ compensation insurance has disclosed a breach affecting 131,000 residents, including 4,500 former and current state employees. Alexander Castro reports:...

Source

Lorenzo Franceschi-Bicchierai reports: Phone provider Trump Mobile has confirmed that it was exposing customers’ names, email addresses, mailing addresses, cell numbers, and order identifiers to the open internet. Chris Walker, a spokesperson for the Trump-branded phone maker, told TechCrunch that the company is investigating the exposure and has not found evidence that content or financial...

Source

Daryna Antoniuk reports: German university hospitals are grappling with a large-scale patient data breach after unknown hackers targeted an external billing service provider used by medical centers across the country, according to statements from several affected medical institutions. The attack reportedly hit Unimed, a company that handles billing services for privately insured and self-paying patients on behalf...

Source

Ben Smith reports: Lawmakers are only now learning that hackers breached a congressional medical contractor more than two months ago. RXNT, a healthcare software company used by the Office of the Attending Physician (OAP) to manage prescription services for Congress, was breached on March 1 and March 3. Hackers obtained copies of patient data stored within the platform. The...

Source

The Supreme Court of California has ruled in J.M. v. Illuminate Education, Inc., a case closely watched by those concerned about holding edtech vendors liable in the event of a data breach. As background on the case: In December 2021, Illuminate suffered a data breach that affected 1.7 million students in New York, 434,000 students...

Source

Sarah Motter reports: Missouri regulators say a major national vendor is stonewalling their investigation into a cybersecurity breach that could affect millions of consumers. The Missouri Department of Commerce and Insurance now says it is escalating its response to the cybersecurity breach at Conduent Business Services. Conduent is a national vendor that handles sensitive insurance...

Source

Nancy Eff Presnell, Gene F. Price, and Matthew R. Schantz write: A recent high-profile incident illustrates the growing litigation and regulatory risks that financial institutions face from vendor-driven data breaches. Within weeks of a national bank confirming a data security incident at a third-party service provider, at least two putative class actions were filed, though...

Source

Instructure defines itself as the “O.G. champions of open edtech. The makers of Canvas, Mastery, and Parchment (solutions for learning, assessment, and credentialing). Host of the world’s largest online community of educators. (And yes—we’re ‘the panda people.’). We build industry-leading edtech, empowering both teachers and learners at every step of their journey.” Sadly, they were...

Source

There is an update regarding the 2023 Delta Dental breach involving MOVEit software. Delta Dental was one of many customers whose patient data was exposed after Clop exploited a zero-day vulnerability to attack MOVEit and acquire its clients’ data. More than 7 million patients were reportedly affected by the breach, although the number specific to New...

Source

Tyler Bridegan, Scott Hyman, Patrick Strubbe, and Sarah Wilk of Womble Bond Dickinson write: In a first of its kind, a California federal judge allowed claims against Bain Capital to proceed based on a data breach at its subsidiary, PowerSchool. Notably, many of the claims are based on conduct that occurred before Bain’s acquisition of PowerSchool. Although...

Source

Yesterday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced settlements with four regulated entities following separate ransomware investigations under HIPAA’S Security Rule. For those keeping count: the resolutions announced mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative. The settlements follow...

Source

Overview and Background This is the first of what will likely be several updates to this site’s exclusive reporting on the “BlueLeaks 2.0” incident that exposed anonymous and sensitive tips by and about students on a platform that promised them anonymity and security.  DDoSecrets.org named the incident “Blue Leaks 2.0” because, like a previous leak...

Source

Long-term follow-ups are important, and DataBreaches is glad that Alexander Martin points out that at least one NHS Trust is still impacted by the Qilin ransomware attack on Synnovis in 2024. From his reporting: At South London and Maudsley NHS Foundation Trust (SLaM), pathology systems have not been restored as of publication, with the trust...

Source