DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Worst breach notifications of 2022

Posted on December 30, 2022 by Dissent

This is the time of year when many sites compile their lists of worst breaches of the year. Some consider all sectors, some confine themselves to one sector. Many base their lists on number reported to some regulator.

Over the years, I have compiled my own annual lists where the “worst breaches” were not always the biggest breaches, but may have been small-n breaches with the potential for great harm.

This year, I thought about compiling a list of worst incident responses based on my experiences of trying to get information or answers. I see that Carly Page and Zack Whittaker of TechCrunch have posted a list based on their experiences.  With one exception, none of the incidents they cite would have been on my list because my list tends to focus on the healthcare sector.

But even trying to focus in on healthcare incidents leaves waaaaay too many poorly handled incidents competing for top place on any such list. And when I tried to narrow it down further, I decided rather than naming individual entities who really had deplorable incident response, I would just list my criteria for inclusion on my “These healthcare entities really did a piss-poor job of incident response” list.

So here we go:

  1. Lack of transparency about what happened, Part 1.  Too many entities went backwards on transparency this year.  As examples, rather than simply acknowledging they were the victim of a ransomware attack, they couched it as a “data security incident” and made no mention of any encryption of data, ransom demand, or any ransom payment if one was made.
  2. Lack of transparency about when a breach was discovered. Too many entities claimed they “recently learned” of an incident when the truth was that they learned of it many months or even a year earlier.  Many try to suggest that they have reported a breach within 60 calendar days of discovery by misrepresenting the actual date of discovery, which is the first day on which a breach is known or should reasonably have been known to the covered entity or business associate. It is not the first day you first confirmed everyone who was affected or all data types. It was the first day you knew or should have known you had a breach.
  3. Lack of transparency about what happened, Part 2. Too many entities used weasel words about how data “may have been” accessed or acquired when they knew damned well that data was accessed or acquired. They continued to try to minimize risk by claiming that they had no reports of any misuse of data.
  4. Lack of transparency about their obligation to notify. Some entities decided to try suggesting that there really was no need or legal obligation to notify people of a breach by using language suggesting that they were (only) notifying “in an abundance of caution” so that people could take steps to protect themselves if they thought it necessary. If you were required by law to notify, then do not suggest that you are notifying “in an abundance of caution.”
  5. Lack of transparency about what happened, Part 3. One of the most infuriating examples of attempts to minimize breaches occurs when entities know that protected health information has already been leaked on the dark web or clear net but they do not tell those affected that their data has been leaked.  Notification is for the benefit of the ultimate victims who need to assess their risk so they can protect themselves. If you don’t tell them their data is out there publicly for anyone to grab and misuse, you have failed them totally, in this blogger’s opinion.
  6. Lack of transparency about what happened, Part 4. There are the entities who do not disclose breaches at all even when they are required to by law. It would be nice if state and/or federal regulators went after a few of these and hit them with huge fines and monitoring as penalties.
  7. Lack of transparency about what happened, Part 5. Stonewalling the media. Do you think if you just ignore our questions or refuse to answer them, we will just publish  your little self-serving press release uncritically? Well, maybe some lazy sites will, but not this site, folks. No press release will ever just be published in 2023 without pointing out what information the entity has not provided or is refusing to answer.

So… if you have done any of 1-7 above in breach notification this year, expect to get called out for that behavior in 2023.

As always, this site will also always call out entities who do a good job on transparency or incident response. It’s just that there are more of the bad ones and not enough of the good ones.

Wishing you all a healthy, happy, and breach-free New Year.

Related posts:

  • Health Data Breaches in 2017: The Year in Review
  • The Worst Health Data Breaches in 2016
  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
Category: Commentaries and Analyses

Post navigation

← Bits ‘n Pieces (Trozos y Piezas)
Retreat Behavioral Health addiction treatment centers hit by ransomware earlier this year →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.