In December 2023, UW’s Fred Hutchinson Cancer Center (“Fred Hutch”) reported a November cyberattack that involved the exfiltration of patient data and attempted extortion of patients. DataBreaches contacted Fred Hutch on December 8 to ask whether the attackers had encrypted their files and whether they had negotiated with the threat actors. They did not reply….
Category: Of Note
UK makes weak default passwords illegal
Three cheers for the U.K. on this one. Kevin Purdy reports: If you build a gadget that connects to the Internet and sell it in the United Kingdom, you can no longer make the default password “password.” In fact, you’re not supposed to have default passwords at all. A new version of the 2022 Product Security…
FTC Finalizes Changes to the Health Breach Notification Rule
The Federal Trade Commission today announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health…
Wealthy Taxpayers Alerted to Leaked Data Years After IRS Breach
Erin Schilling reports: Some taxpayers are learning that their data was leaked in the widespread breach by a former IRS contractor that led to the release of former President Donald Trump’s tax returns. Four tax lawyers said they have seen letters from the IRS that went to clients this week and last week notifying them…
UnitedHealth paid ransom to bad actors, says patient data was compromised in Change Healthcare cyberattack (1)
Ashley Capoot reports: UnitedHealth Group on Monday said it paid ransom to cyberthreat actors to try and protect patient data, following the February cyberattack on its subsidiary Change Healthcare. The company also confirmed that files containing personal information were compromised in the breach. “This attack was conducted by malicious threat actors, and we continue to…
International investigation disrupts phishing-as-a-service platform LabHost – EUROPOL
This week, law enforcement from 19 countries severely disrupted one of the world’s largest phishing-as-a-service platform, known as LabHost. This year-long operation, coordinated at the international level by Europol, resulted in the compromise of LabHost’s infrastructure. Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting…