![]() DDC will also ensure timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication. In addition to the fine, the settlement requires DDC to maintain reasonable security policies to protect consumer personal information. The states’ attorneys general investigation concluded that DDC engaged in deceptive or unfair cybersecurity practices by making material misrepresentations in its privacy policy regarding its safeguarding of consumers’ personal information, which left consumers’ personal data vulnerable to unauthorized access. The attempts to alert the company had been overlooked by company employees for nearly two months. In September 2021, the threat actor demanded payment from DDC for the return and deletion of the stolen data and payment was made.Īccording to court documents, prior to the data breach, a third-party data breach monitoring vendor had detected the breach and attempted to notify DDC of suspicious activity. 5 servers that contained backups of 28 databases were compromised in the incident. Using a test account with administrator privileges, the hacker installed the malware Cobalt Strike to exfiltrate the data over the course of two months. An unauthorized third party had logged in via VPN on May 24 using a DDC account, having harvested credentials from a domain controller that provided password information for each account in the network. The internal investigation concluded that the databases had been subject to unauthorized access between May 24 and July 28, 2021. According to DDC, the company was unaware that this data had been inadvertently transferred as part of the acquisition.ĭDC discovered the data breach that prompted the investigation on August 6, 2021, when the company detected suspicious activity in some of its archived databases. This data had been archived as was not used for any business purpose. DDC had acquired these databases from Orchid Cellmark in 2012. The affected databases contained sensitive information of over 2 million individuals who had received DNA testing services between 20, including names, social security numbers, and payment information. Please feel free to reach out to us with any questions you may have.ĭDC is one of the largest private DNA testing laboratories in the United States. We have provided a summary of the incident and settlement as well as critical considerations below. Companies should also review and revise their data retention and disposal policies as needed to limit their relevant risk. ![]() Organizations storing protected health information and other sensitive personal information should conduct risk analyses and comprehensive due diligence of legacy databases, along with monitoring databases actively in use. This settlement also highlights the importance of safeguarding legacy data. Businesses that process sensitive personal information in the ordinary course of business should proactively review and update their security practices to mitigate their potential risk of a security incident (as well as a subsequent regulatory investigation). And all companies need to be paying attention to FTC enforcement in this space, especially in light of its recent enforcement action against GoodRx. In addition to state AGs, companies regulated by the Health Insurance Portability and Accountability Act (HIPAA) need to be aware of potential enforcement by the Department of Health and Human Services. This settlement further indicates that companies that process genetic data, health information, and other sensitive categories of information are going to continue to catch the eye of regulators for data breaches, especially if these breaches are the result of outdated security practices. The company will also implement heightened data security measures, including updating the asset inventory of its network and disabling or removing data deemed unnecessary for any legitimate business purpose. As part of the settlement deal, DDC will pay a fine totaling $400,000. The hacking incident involved legacy data from databases that were not in business use, but that DDC had acquired as part of an acquisition in 2012. On February 17, 2023, the state attorneys general of Pennsylvania and Ohio reached a settlement with Ohio-based DNA Diagnostics Center (“DDC”) for a 2021 data breach that affected 2.1 million individuals nationwide and resulted in a breach of the personal information of nearly 46,000 patients.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |