The IT Nerd

New York state sued Allstate accusing the insurer’s National General unit of failing to report a data breach that exposed drivers’ license numbers, and lacking reasonable safeguards to protect drivers’ private information. From Reuters:

The lawsuit by New York Attorney General Letitia James was filed in a state court in Manhattan.

James said National General’s poor data security led to back-to-back breaches in 2020 and 2021, when hackers targeting its online auto insurance quoting tools accessed license numbers of more than 165,000 New Yorkers and 199,000 people overall.

National General allegedly did not notify drivers or New York state agencies about the first breach, which occurred between August and November 2020, and needed three months to uncover the much larger second breach in January 2021.

James said National General violated the state’s Stop Hacks and Improve Electronic Data Security Act for failing to protect customer information, and violated state consumer protection laws by misleading customers about its data security practices.

The lawsuit seeks civil fines of $5,000 per violation, plus other remedies.

“National General’s weak cybersecurity emboldened hackers to steal New Yorkers’ personal data, not once but twice,” James said. “It is crucial that companies take cybersecurity seriously to protect consumers from fraud and identity theft.”

Erich Kron, security awareness advocate at cybersecurity company KnowBe4, commented:

“As organizations gather more and more information about individuals, the risk of data breaches continues to grow. For many people it feels as if every week contains some sort of news about a significant data breach, and in many cases these people are getting a bit of breach fatigue. Unfortunately, it seems that the amount of data around each person that is being lost in these breaches continues to grow, so it’s no longer just a name, address, and maybe a credit card number or phone number, but now a lot more personal information is included.

“Insurance organizations are well known for collecting and using credit information to influence rates, and to check credit they need to collect some rather sensitive data such as Social Security numbers. In addition, insurers are asking customers to install telemetry devices in their vehicles, or through their phone apps, to track their location, speed, time of driving, braking and acceleration data, and a laundry list of other bits of data that most people would probably prefer remains private.

“Given the amount of information collected, it is extremely discouraging to see organizations try to cover up breaches or fail to notify victims of breaches in a timely manner. By failing to notify the victims, bad actors can use the stolen data against the customers in a number of ways. One easy way a bad actor could use this against a customer is to contact them while pretending to be from the insurance company, then convincing them that they need to pay a bill, or that their bill has gone up due to their driving behaviors. If the scammer can reference a time and date when that person was actually driving the vehicle, it could have the effect of convincing the victim that this really is the insurance company contacting them, and that they need to pay this additional fee or have their insurance dropped.

“While we still seem to concern ourselves when Social Security numbers and other information like that is stolen, organizations seem not to value this other information in the same way, however it can be used against their customers easily. When a data breach occurs, organizations should contact the victims whose data has been stolen and provide them advice in a timely and actionable way. If

I have one word to say on this.

Good!

The thing is that some companies will only take cybersecurity seriously if the financial penalties and reputational damage are greater than covering up an incident. This is something that is proven to work in the EU. And it’s about time that that this approach is seen here in North America.

HHS’s Office for Civil Rights (OCR) has levied a $40,000 fine against Green Ridge Behavioral Health, a MD psychiatric health services provider for HIPPA violations related to a ransomware attack on the company.

Green Ridge experienced a ransomware attack in 2019 that encrypted the healthcare records of some 14,000 patients. Though the company did not pay the ransom and was able to recover their systems from backups, HIPPA’s investigation revealed them to have been well out of compliance with HIPPA regulations.

Green Ridge Behavioral Health failed to:

• Have in place an accurate and through analysis to determine the potential risks and vulnerabilities to electronic protected health information;
• Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level; and
• Have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

 
Under the terms of the settlement with Greenridge, HHS required the company to:

• Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
• Design a Risk Management Plan to address and mitigate security risks and vulnerabilities found in the Risk Analysis;
• Review, develop, or revise its written policies and procedures to comply with the HIPAA Rules;
• Provide workforce training on HIPAA policies and procedures;
• Conduct an audit of all third-party arrangements to ensure appropriate business associate agreements are in place, where applicable; and
• Report to OCR when workforce members fail to comply with HIPAA.

This is the second time that OCR has fined a HIPAA regulated company for violations identified during a ransomware investigation.

Steve Hahn, Executive VP, BullWall had this comment:

   “There is a reason HIPPA has strict compliance guidelines and cyber security is supremely important to the security of patient information. Ransomware attacks on medical service providers have become a serious threat to public health and safety. These attacks not only disrupt the delivery of essential medical services, but always compromise the security of sensitive patient information. The impact of these attacks can in fact be devastating, as they can leave medical providers struggling to recover their data and regain control of their systems. In this case, Green Ridge did not pay the ransom, but whether the ransom is paid or not, the costs in dollars and lost patient services severely cripple these already struggling institutions.

   “Hospitals and healthcare organizations are particularly attractive targets for cybercriminals, and their reliance on technology to manage everything from patient records to surgical equipment makes them uniquely vulnerable. It is very encouraging to see OCR enforcing compliance with a cyber security “Best Practices” approach for providers.”

Mark B. Cooper, President & Founder, PKI Solutions follows with this:

   “The fact that this is only the second time OCR has fined a HIPAA company for violations after a cyberattack should be a wake-up call for the Security Teams at every health services provider. Medical records are far more valuable for hackers than credit card numbers or Social Security numbers, so a mindset shift is needed into proactive monitoring and visibility in critical infrastructure protection (CIP) misconfigurations should be a priority and not an afterthought. Invest in proactive monitoring and visibility now or pay later.”

I’m all for punishing companies who don’t have their act together when it comes to security. The fact that this company got pwned, and then got punished for getting pwned should send the message that everyone needs to up their game. Or else.