The Week in Cyber Security and Data Privacy: 6 – 12 November 2023

Welcome to this week’s round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks

Mulkay Cardiology Consultants notifies Maine Attorney General of breach

Date of breach: 1 September – 5 September 2023

Breached organisation: Mulkay Cardiology Consultants at Holy Name Medical Center, New Jersey

Incident details: On 5 September, Mulkay Cardiology Consultants discovered that an unauthorised third party had accessed its systems and encrypted some of its files. On 14 September, Mulkay discovered that the compromised files contained personal information, including “name, address, date of birth, Social Security number, driver’s licence number or state ID, medical treatment information, and health insurance information”.

Records breached: 79,582

Ontario hospitals update: information relating to 5.6 million patient visits stolen in ransomware attack

Date of breach: 23 October 2023

Breached organisation: Bluewater Health and Chatham-Kent Health Alliance

Incident details: A database containing information about 5.6 million patient visits to Bluewater Health and the social insurance numbers of 1,446 Chatham-Kent Health Alliance employees was among the data exfiltrated as part of a 23 October ransomware attack on TransForm, a payroll provider to five Ontario hospitals(see The Week in Cyber Security and Data Privacy 30 October – 5 November 2023 and The Week in Cyber Security and Data Privacy: 23–29 October 2023).

Records breached: 5,601,446

Marina Bay Sands reveals data breach affecting 665,000 customers

Date of breach: 19 and 20 October 2023

Breached organisation: Marina Bay Sands

Incident details: Marina Bay Sands, a luxury resort operator in Singapore, has announced that the personal data of 665,000 members of its shopping loyalty programme has been compromised in a “data security incident”. The data included shoppers’ names, email addresses, phone numbers, countries of residence and membership numbers.

Records breached: 665,000

Tri-City Medical Center, San Diego, hit by suspected ransomware attack

Date of breach: 9 November 2023

Breached organisation: Tri-City Medical Center, Oceanside

Incident details: Tri-City Medical Center was forced to divert ambulances to other hospitals following what a spokesperson referred to as “A cybersecurity challenge”. According to the San Diego Union-Tribune, “several people familiar with the situation who asked not to be identified said that [ransomware] was the suspected culprit”.

Records breached: Unknown

Multiple instances of unauthorised access via ScreenConnect

Date of breach: 28 October – 8 November 2023

Breached organisation: Multiple healthcare organisations

Incident details: Huntress reports that attackers have exploited ScreenConnect, a remote access tool used by the pharmacy supply chain and management systems solution provider Transaction Data Systems/Outcomes, to access endpoints belonging to “multiple healthcare organizations”.

Records breached: Unknown

Northwell Health patient data compromised in Perry Johnson & Associates data breach

Date of breach: 7 – 19 April 2023

Breached organisation: Northwell Health

Incident details: Northwell Health – the largest health system in New York – has confirmed that it was affected by the data breach at the medical transcription company Perry Johnson & Associates earlier this year. According to the HIPAA Journal, “Northwell Health said the breach involved names, addresses, dates of birth, and medical information, including diagnoses, test results, and physician and healthcare provider names. Some patients also had their Social Security numbers exposed.”

Records breached: Unknown (although Northwell Health’s initial statement, since withdrawn, said 3,891,565 people were affected)

Maine state agencies affected by MOVEit Transfer breach

Date of breach: 31 May 2023

Breached organisation: The State of Maine

Incident details: The State of Maine has confirmed that it was affected by the Cl0p attack on Progress Software’s MOVEit Transfer file transfer tool in May. Approximately 1.3 million individuals’ information was compromised, including names, Social Security numbers, dates of birth, driver’s licence/state identification numbers and taxpayer identification numbers.

Records breached: 1.3 million individuals

McLaren Health Care notifies nearly 2.2 million people of data breach

Date of breach: 28 July – 23 August 2023

Breached organisation: McLaren Health Care, Michigan

Incident details: notice: According to its data breach notification, McLaren Health Care became aware of suspicious activity on its systems on 22 August. Its investigation determined that there had been unauthorised access to is network between 28 July and 23 August, gaining access to personal information, including names, Social Security numbers, consumers’ or consumers’ family members’ “past, present or future physical, mental or behavioral health or condition”, and information relating to the provision of and payment for healthcare. According to BleepingComputer, the ALPHV/BlackCat ransomware group took responsibility for an attack on McLaren’s network on 4 October.

Records breached: 2,192,515 people affected

Sumo Logic identifies “potential security incident”

Date of breach: 3 November 2023

Breached organisation: Sumo Logic

Incident details: On 7 November, Sumo Logic notified its customers that it had “discovered evidence of a potential security incident” in which “a compromised credential” was used “to access a Sumo Logic AWS account”. Customer data, which was encrypted, was reported to be unaffected.

Records breached: None

Butler County reports personal information breach

Date of breach: 8 November 2023

Breached organisation: Butler County

Incident details: The Butler County Commissioners Office has announced that personal data was compromised in October when an unauthorised third party accessed its network. The information mostly related to court proceedings. “The security and integrity of our information systems are top priorities, and we work continually to safeguard our network to maintain confidentiality,” stated county IT director Jim Venturini. “The county will continue to invest in the internal processes, tools, and resources to reduce the likelihood of future security incidents.”

Records breached: Unknown

Butte School District shuts down computer network after system compromised

Date of breach: 4 November 2023

Breached organisation: Butte School District

Incident details: Butte School District  was forced to shut down its computer systems following an unknown breach. “All I can say is that we’re still investigating the issue and we do not have any clear information of what it was,” Butte School District Superintendent Judy Jonart told KXLF.

Records breached: Unknown

Pulaski County Public Schools announces ransomware investigation

Date of breach: 5 November 2023

Breached organisation: Pulaski County Public Schools

Incident details: According to a notice published on Facebook on 7 November, Pulaski County Public Schools has fallen victim to a ransomware attack.

Records breached: Unknown

Australian port operators knocked offline by cyber attack

Date of breach: 10 – 13 November 2023

Breached organisation: DP World Australia (ports operator)

Incident details: Operations at the DP World Australia container terminals in Melbourne, Sydney, Brisbane and Perth were disrupted by a cyber attack from Friday 10 – Monday 13 November. According to a company statement quoted by the BBC, the organisation is investigating the incident. “The resumption of port operations does not mean that this incident has concluded,” it said. “DP World Australia’s investigation and ongoing remediation work are likely to continue for some time.”

Records breached: Unkown

LockBit ransomware attack on ICBC Financial Services

Date of breach: 8 November 2023

Breached organisation: ICBC FS (Industrial & Commercial Bank of China Financial Services)

Incident details: According to a notice on its website, ICBC FS – a US subsidiary of the world’s largest bank – suffered a ransomware attack on 8 November that disrupted some of its systems and, as a result, affected the US Treasury market. The Russian LockBit ransomware gang has taken responsibility.

Records breached: Unknown

Other news

ICO and EDPS sign Memorandum of Understanding

The UK’s ICO (Information Commissioner’s Office) and the EDPS (European Data Protection Supervisor) have signed a Memorandum of Understanding, reinforcing “their common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal”.

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place for you.

In the meantime, if you missed it, check out last week’s round-up.