Here's a roundup of this week's data breaches:
Gmail - Last week, nearly five million Gmail addresses and passwords were found on a Russian security site in addition to 123,000 yandex.ru addresses. This leak closely followed two other dumps of Russian email and password combinations last week--1.26 million Yandex accounts were leaked on Monday and 4.66 million Mail.ru accounts were leaked on Tuesday.
Central Utah Clinic – More than 31,000 patients at Central Utah Clinic may have had their personal information accessed in a data breach. While the hospital says it successfully defends against many cyber attackers every month, the hospital’s IT professionals discovered on June 9 that an attacker had compromised one of the hospital’s servers that contained radiology reporters dating back from 2010. The server also contained some names, dates of birth, Social Security numbers, addresses and phone numbers. There is no evidence that information was viewed or copied during the breach. “These attacks are an unfortunate aspect of information technology and modern healthcare is not immune from this,” said Central Utah Clinic CEO Scott Barlow.
JP Morgan – Ever since the FBI announced it was investigating a potential breach at JP Morgan Chase at the end of August, information about the breach has trickled out partially through anonymous sources. This week, sources close to the investigation told the New York Times that the investigation has revealed that hackers had infiltrated as many as 90 bank servers over the course of two months. In doing this, the hackers gained access to a million customer accounts as well as a list of the bank’s installed software. Another anonymous source said that hackers were not able to access Social Security numbers or financial information. Until the investigation is complete, we won’t know the full details—including if other banks were also breached and if this was a state-sponsored attack out of Russia.
George Mason University – Approximately 4,400 individuals may have had their personal information breached in a malware attack against George Mason University. The university says it discovered the malware on July 16 on a server hosting the Travel Request Service, which is used to help university members book subsidized travel. The University’s Vice President for IT, Marilyn Smith, told SC Magazine that while the server held names and Social Security numbers, the school doesn’t believe that any sensitive data was accessed.
Tampa General Hospital – Nearly 700 Tampa General Hospital patients have been notified that their personal and medical information was accessed by a former hospital employee. This information included Social Security numbers, names, addresses, dates of birth, diagnoses, and insurance information. The breach was discovered when police notified TGH that hospital documents had been discovered in a car during a traffic stop and arrest. The arrested individual didn’t work at the hospital, but the documents were traced back to a hospital staffer who was then fired. The hospital told Fox News that the employee had been at TGH since 2009 in a non-clinical role. The hospital says it is implementing blocks around who can access patients’ Social Security numbers and is increasing employee training.
Napa Health & Human Services Agency – Personal data was an unforeseen casualty in the earthquake that hit California last month, according to the Napa County In Home Supportive Services (IHSS) program. On August 27—three days after the earthquake—the Comprehensive Services for Other Adults Division of Health and Human Services discovered that a thumb drive was missing from a locked office that had been damaged during the earthquake. While the thumb drive did not contain Social Security numbers, it did have clients’ names, addresses, phone numbers, and other limited information about care received.
Yandy.com – If you recently bought lingerie and costumes from online retailer Yandy.com, it might be smart to check your credit report. On August 18th, 2014, Yandy.com discovered that an “unauthorized, external cyber-attack” had hit its website, exposing customer payment card data. Yandy reported the breach and says it cannot determine if data was exposed during the breach. While it’s pretty typical for data breach notification letters to include an offer of a year of free credit monitoring, Yandy is offering no such service to their customers.
