The Week in Breach News: 08/02/23 – 08/08/23

Risk to Business: 1.876 = Severe

Retailer Hot Topic has disclosed that it has likely experienced a data breach after experiencing a series of credential stuffing attacks. The retailer said that the attacks took place between February 7 and June 21, 2023. Hot Topic says that legitimate credentials were ultimately used to access the company’s systems. Bad actors may have stolen customer information, including customer names, mailing addresses, dates of birth, phone numbers and order history. Partial payment card information (the last four digits of the payment card) may have been accessed if victims had their payment card details saved to their accounts.)

Risk to Business: 1.721 = Severe

The Oregon Health Authority has announced that its members’ data may have been exposed due to a MOVEit-related cyberattack on one of its service providers. Vendor PH Tech notified Oregon government officials that they’d experienced a data breach. In their investigation, PH Tech determined that the sensitive data of OHP members was accessed by bad actors. OHP said the illegally accessed data included personal information and some protected health information like enrollment, authorization and claims files. Exposed information varies from person to person but might include name, date of birth, social security number, address, member ID number, plan ID number, email address, authorization information, diagnosis code, procedure codes and claim information. An estimated 1 million people had data exposed in this incident.  

Risk to Business: 1.673 = Severe

California-based Prospect Medical Holdings has disclosed that it experienced a cyberattack that has pushed 16 hospitals and about 100 other medical facilities offline in California, Connecticut, Pennsylvania and Rhode Island. The incident began on August 1. Medical providers at the impacted facilities have had to resort to pencil and paper charting. Some of the outpatient facilities that Prospect manages have been forced to close because of the attacks, including radiology, diagnostic and heart health facilities in Connecticut. This is the largest medical cyberattack in the U.S. so far in 2023.

Risk to Business: 1.649 = Severe

Prudential Insurance Company of America filed a notice of data breach with the Attorney General of Maine after discovering that one of the company’s vendors experienced a data breach caused by the MOVEit exploit. Prudential was recently informed of the attack on their vendor, Pension Benefit Information, LLC (PBI). The incident resulted in the exposure of consumers’ sensitive information, which includes their names, Social Security numbers, addresses, dates of birth and phone numbers. PBI recently began sending out data breach notification letters to all 320,840 individuals whose information was stolen.  

Risk to Business: 1.707 = Severe

The personal data of students and employees may have been exposed in a data breach at the Colorado Department of Education (CDHE). Specifically, the data of anyone who studied at a public high school in the state between 2004 and 2020, anyone who took a course at a higher education facility between 2007 and 2020, anyone who held a K-12 teacher’s license in the district, obtained participated in the Dependent Tuition Assistance Program from 2009-2013, participated in Colorado Department of Education’s Adult Education Initiatives programs between 2013-2017, or obtained a GED between 2007-2011 may be impacted by this incident. between 2010-2014, may be affected. CDHE disclosed that a bad actor accessed CDHE systems between June 11 and June 19, 2023. The incident remains under investigation.

Risk to Business: 1.637 = Moderate

Allegheny County, Pennsylvania said that it has experienced a cyberattack that led to a data breach on May 28 and 29. Thanks to MOVEit. The county said that residents’ data may have been exposed including name, Social Security number, date of birth, driver’s license/state ID number, taxpayer ID number and student ID numbers. For some, some types of medical information (e.g., diagnosis, treatment type, admission date), health insurance information, and billing/claim information may be involved. 

Risk to Business: 1.766 = Severe

Health Employers Association of British Columbia admitted that a cyberattack on three of its websites has likely resulted in the exposure of some personal data for an estimated 240,000 people. The association said that three websites recruiting physicians, nurses and other health professionals are at the center of the storm: Health Match B.C., Locums for Rural B.C. and the B.C. Care Aide & Community Health Worker Registry. The attack was first detected on July 13, but an investigation determined that the hackers had been in the company’s systems from May 9 to June 10. The incident remains under investigation.

Risk to Business: 1.413 = Moderate

Australia’s largest gaming machine manufacturer said that it has been hit in a cyberattack thanks to the MOVEit vulnerability. Aristocrat Gaming said that the June 1 attack led to the exposure of unspecified data for Aristocrat employees. Aristocrat said in a statement that it expects low business impact from this incident and that appropriate authorities are part of the investigation.