The Week in Breach News: 07/12/23 – 07/18/23

Risk to Business: 1.423 = Extreme

Tennessee-based for-profit hospital operator Hospital Corporation of America has experienced a record-breaking data breach that began on or around July 5. An estimated 11 million patients had data exposed in this incident. HCA was quick to assure customers that they do not believe that any clinical data like information about a patient’s treatment, diagnosis and condition or patient financial data like payment information, credit card or account number was stolen. The company also said that the breach does not include other sensitive data like passwords, driver’s licenses or social security numbers. The data exposed includes a patient’s name, city, state, zip code, email, telephone number, date of birth, gender, service date, location and next appointment date. HCA says that the breach came from an external storage location used to automate emails like appointment reminders.

Risk to Business: 1.876 = Severe

Choice Hotels has announced that it has become caught up in the MOVEit exploit trouble. The company said that some customer records, primarily from its Radisson Hotel chain but possibly from other properties as well, may have been accessed by bad actors. The Cl0p ransomware group, which has been responsible for the MOVEit attacks, added Choice Hotels to its dark web leak site, noting that the company had not been receptive to communication about paying a ransom. Choice Hotels said that it is still investigating the incident and has not yet released a list of the compromised data types. 

Risk to Business: 1.669 = Severe

The government of Hillsborough County is informing more than 70,000 residents that their personal data may have been exposed in a data breach after falling victim to a cyberattack involving the MOVEit file transfer exploit. The count’s cybersecurity team first learned about the issue on June 18. After an investigation, the county determined that files from the Healthcare Services and Aging Services departments were involved. The stolen files included protected health and personal information, including first and last names, social security numbers, dates of birth, home addresses, medical conditions and diagnoses and disability codes. The breach could have also impacted Aging Services vendor employees. Victims have been notified by mail.

Risk to Business: 2.149 = Severe

Lansing Community College in Michigan is informing students that some of their personal data may have been stolen in a data breach. The college said that bad actors gained access to its systems from December 25, 2022, through March 15, 2023. That enabled them to steal the names and social security numbers of 758,000 people. The college also said that unspecified vendor and employee data had been exposed in the incident.

Risk to Business: 2.637 = Moderate

U.S. top 10 zoo ZooTampa has disclosed that it was recently the victim of a cyberattack. Black Suit, a suspected offshoot of the Royal ransomware gang, has claimed responsibility. The non-profit zoo said that vendor and employee information is involved in the incident but did not specify the specific data types. ZooTampa said that it does not retain personal or financial information about visitors or members. The zoo has engaged third-party forensic specialists to secure its network environment and investigate the extent of the unauthorized activity. 

Risk to Business: 1.766 = Severe

Deutsche Bank has disclosed that it recently became aware of a security incident at one of its external service providers that operates the bank’s account switching service in Germany. That unnamed service provider has fallen victim to the MOVEit exploit. Deutsche Bank clarified that the bank’s internal systems were unaffected by the incident. The incident may have impacted a limited amount of unspecified personal data belonging to customers in Germany who used the bank’s account switching service in 2016, 2017, 2018 and 2020. The stolen data cannot be used to gain access to accounts, but bad actors could use it to try to initiate unauthorized direct debits. Other banks in Germany may have been similarly impacted. The MOVEit exploit has resulted in cyberattacks on an estimated 250 businesses. 

Risk to Business: 1.707 = Severe

 Wellington-based law firm Mahony Horner Lawyers is informing clients that their personal data may have been stolen in a recent cyberattack. In a letter explaining the incident to its clients, the firm said that it is taking time for them to determine exactly what data was snatched, but they do know so far that copies of clients’ driver’s licenses or passports that were collected in the last three years were exposed. Mahony Horner said that it has engaged a third-party firm to help investigate the incident.

Risk to Business: 1.443 = Extreme

Razer, a well-known provider of hardware like mice for electronic gaming, is embroiled in a data breach investigation after hackers claim to have obtained critical information about its virtual gaming credits marketplace Razer Gold. Hackers have claimed to have stolen information that impacts Razer Gold like source code, databases and encryption keys as well as backend access logins for Razer.com, the company’s main website. Razer said that it has taken steps to secure its platforms after it was alerted to the threat on Sunday. The hacker, going by the moniker “Nationalist,” is asking for $100,000 in Monero. The incident remains under investigation.