Data Breaches

DataBreaches is generally a great fan of state attorneys general taking enforcement action stemming from data breaches where the security was really subpar or the entity did not notify those affected in a reasonable amount of time. But two enforcement actions in New York have me wondering if the state has been a bit unfair… Source

Last week, it appeared that Clinical Diagnostics (“Eurofins”) had paid a gang’s demands not to leak patient data that Nova had exfiltrated during a ransomware attack in July. Clinical Diagnostics in the Netheralands held patient data on 485,000 Dutch women in a cervical cancer screening program. Nova confirmed the payment to a Dutch news outlet…. Source

In February 2020, DataBreaches reported that patients of Community Care Physicians in New York may have had their protected health information, date of birth, and insurance coverage exposed as a result of a ransomware attack by Maze Team at the Albany-based accounting firm BST & Co. CPAs.  The incident was reported at the time to… Source

Carly Page reports: Microsoft-owned talk-to-text outfit Nuance has agreed to cough up $8.5 million to settle a class action lawsuit over the sprawling MOVEit Transfer mega-breach – although it admits no liability. The proposed deal [PDF], filed in a Massachusetts federal court last week, would draw a line under litigation brought by individuals who claimed that the company failed… Source

The420.in reports: The Delhi Police have arrested 18 individuals for duping State Bank of India (SBI) credit card holders of nearly ₹2.6 crore [USD $296,630.45] in a nationwide fraud. The operation, which ran for six months, relied on insider leaks at a Gurugram-based call centre and a sophisticated money-laundering network that spanned cash deals and… Source

For the “No need to hack when it’s leaking” and the “our government is our insider threat” files, Chiara Eisner of NPR reports: Papers with U.S. State Department markings, found Friday morning in the business center of an Alaskan hotel, revealed previously undisclosed and potentially sensitive details about the Aug. 15 meetings between President Donald… Source

On March 21, 2025, Fundamental Administrative Services, LLC (“Fundamental”), a Maryland-headquartered service provider to long-term care facilities, notified HHS of a breach involving unauthorized access to its network. At the time, they used a “500” placeholder for the number affected, but also posted a substitute notice on their website. This week, Fundamental issued a press… Source

There is an update to a phishing incident in 2021 that impacted more than 89,000 people with Healthplex dental insurance. DataBreaches notes that the NYDFS settlement announced below is not the first settlement stemming from this incident. In December 2023, the NY Attorney General’s Office announced a $400,000 settlement with Healthplex. Both the 2023 and… Source

Serena Barker-Singh reports: Up to 3,700 Afghans brought to the UK between January and March 2024 have potentially been impacted as names, passport details and information from the Afghan Relocations and Assistance Policy has been compromised again, this time by a breach on a third party supplier used by the Ministry of Defence (MoD). This was not… Source

Mallika Sheshadri reports: Kokomo Solutions, a technology vendor that provides Los Angeles Unified School District students with telehealth services and a tip line to report suspicious activity, has fallen prey to a data breach. The company noticed “unusual activity on our computer network” on Dec. 11, 2024 — but did not file a data breach notice with the… Source