Stay Informed with the Latest News in Data Privacy and Learn about Exciting Job Opportunities

01. How a Novel Legal Maneuver Got a Hospital's Stolen Data Back

Claxton-Hepburn Medical Center, part of the North Star Health Alliance, employed a novel legal strategy to recover stolen data after a ransomware attack by the LockBit gang. The hospital filed a lawsuit against anonymous individuals associated with LockBit, leading to the return of the stolen data by a cloud services firm, Wasabi Technologies.

02. Fidelity National Financial Details LoanCare Breach

Fidelity National Financial, a major mortgage industry player, experienced a hacking incident, affecting 1.3 million U.S. customers. The breach involved unauthorized access, malware deployment, and data exfiltration. The real estate title insurance provider, based in Jacksonville, Florida, assured investors of no material impact on the company. The attack targeted LoanCare, a Fidelity subsidiary, and was claimed by the BlackCat ransomware group. Fidelity took containment measures, temporarily disrupting various subsidiaries. The company has completed notifying affected customers, offering credit monitoring, and faces legal challenges, including a proposed class-action lawsuit alleging failure to implement reasonable cybersecurity measures.

03. Fallout Mounting From Recent Major Health Data Hacks

Recent major health data hacks, including those at Perry Johnson and Associates, Prospect Medical Holdings, and Orrick, Herrington & Sutcliffe LLP, are causing a growing list of affected individuals and triggering lawsuits. Perry Johnson and Associates reported a breach affecting nearly 9 million individuals, with subsequent disclosures by its clients, including North Kansas City Hospital. Prospect Medical Holdings, hit by Rhysida ransomware, expanded the impact to nearly three dozen health plans. Orrick updated its hacking incident affecting 637,620 individuals, settling proposed class action lawsuits. The growing fallout is attributed to ongoing investigations, forensic discoveries, and third-party involvement.

04. NYS: Clinic Must Pay $450K Fine and Spend 1.2M on Security

The Refuah Health Center in Spring Valley, N.Y., has settled with the New York attorney general over a 2021 ransomware attack. The federally funded health center must pay a fine of up to $450,000 and invest over $1 million in improving its data security. The settlement requires a minimum payment of $350,000, with a potential $100,000 suspension if the center enhances its cybersecurity program.

05. Singing River Health System Confirms Ransomware Attack Affected 253,000 Patients

Singing River Health System in Mississippi confirmed a ransomware attack in August 2023, compromising the PHI of 253,000 patients. Other healthcare entities, including Highlands Oncology Group, Fincantieri Marine Group, Senior Scripts, and Family Healthcare, also reported data breaches due to ransomware attacks. The affected individuals have been notified, and some are offered complimentary credit monitoring and identity theft protection services. The incidents highlight the ongoing cybersecurity challenges faced by healthcare organizations and the potential exposure of sensitive patient information.

Strac’s Latest Views on Securing User Data

01. Does ChatGPT Save Your Data?

In this blog post, Hans Hermans, Founding Engineer at Strac discusses data handling practices of ChatGPT, highlighting the types of data collected, the associated risks, and vulnerabilities. He also introduces Strac's ChatGPT Data Loss Prevention (DLP) solution, emphasizing its key features like real-time remediation and configurable security settings to address potential data vulnerabilities.

02. How to Mask Sensitive Data in PostgreSQL?

This article discusses data security in PostgreSQL databases, highlighting risks such as SQL injection, malware, and misconfigurations. It explores data masking techniques and the limitations of native tools. The importance of Data Loss Prevention (DLP) in securing PostgreSQL is also discussed, with a focus on Strac DLP's features including access controls, data encryption, activity monitoring, and data masking. The article provides insights into how Strac DLP can selectively mask sensitive data in PostgreSQL, using techniques like tokenization, pseudonyms, and partial masking.

03. Is DLP (Data Loss Prevention) a requirement for ISO 27001?

In this blog post, Strac founder, Aatish Mandelecha provides an extensive review of ISO 27001:2022 which introduces 11 new controls, with a focus on Data Loss Prevention (DLP). Strac DLP software addresses these requirements by automatically detecting and securing sensitive data in SaaS applications and endpoints. It offers remediation and redaction tools, real-time alerts, and employee education for data security. Strac allows customizable data classification and generates comprehensive audit reports for ISO 27001 compliance, aligning with controls related to information deletion, data masking, monitoring activities, and secure coding. The software enhances data security in the cloud and provides a comprehensive, automated solution for businesses aiming to align with ISO 27001:2022.

Security Jobs On The Market

Substack is hiring a Security Engineer

Looking for: “an experienced engineer to bring security expertise to Substack’s engineering team.”

Skills required: 4+ years of relevant experience with security engineering or security architecture, domain knowledge across cybersecurity disciplines, with a focus on application and cloud security, be independent and autonomous, hold yourself and others to a high standard when working on production systems, enjoy collaboration with a diverse group of stakeholders while bringing your own unique experience and background to the team.

Learn more here

Twitter is hiring a Privacy and Data Protection Risk Analyst

Looking for: “an experienced Privacy and Data Protection Risk Analyst to help evolve and support the privacy risk management program at Twitter.”

Skills required: 6+ years of work experience on risk management for technology and data processes and environments, 3+ years of work experience on privacy or technology law, policy, programs, or other related fields, Bachelor Degree in Business, Computer Science or related field, hands-on practice executing qualitative and quantitative risk analysis on complex environments, experience in heavy technological environments and matrixed organizations, knowledge of Privacy compliance standards (e.g. ISO27701 and/or regulations (e.g. GDPR) and Risk Management frameworks (e.g. ISO31000 or NIST 800-53), proven track record of collaborating with cross-functional groups to set objectives and produce results, experience managing, organizing, and coordinating projects and process-improvements in a program, CIPP, CDPSE privacy certifications are not required but are preferred, CRISC, CISSP, CISA security and risk management certifications are not required but are preferred.

Learn more here

Worf.ai is hiring a Security Engineer (Founding Engineer)

Looking for: “a Security Engineer (Founding Engineer) to monitor and analyze security alerts, ensuring that potential threats are identified and addressed promptly.”

Skills Required: Bachelor's/Master's degree in Cybersecurity, Computer Science, or a related field, proven experience as a security analyst or a similar role, familiarity with various security frameworks, standards, and best practices, strong analytical and problem-solving skills, ability to work in a fast-paced, dynamic startup environment, excellent communication skills, both written and verbal, experience with AI-driven security tools is a plus but not mandatory.

Learn more here