IT Security & Privacy

The February cyberattack on Change Healthcare, now confirmed to have affected a staggering 100 million individuals, is more than a historic breach—it’s a wake-up call for the entire healthcare sector. The U.S. Department of Health and Human Services recently confirmed the scale of this incident, making it one of the most significant exposures of personal health data in U.S. history. The breach shines a harsh light on cybersecurity fundamentals, particularly the overlooked areas of access management, incident response, and third-party risk oversight.

Global data protection authorities have issued a follow-up joint statement highlighting new measures for social media companies to enhance protections for personal information, as mass data scraping continues to pose risks, particularly in the age of artificial intelligence. This latest statement reflects insights from recent discussions between 17 data protection authorities and some of the largest social media platforms, deepening the collaboration initially sparked by a joint statement on data scraping in 2023.

In a strong message to UK organizations, Information Commissioner John Edwards has emphasized the critical need to prioritize data protection and privacy in order to mitigate the devastating ripple effects of data breaches.

Pennsylvania State University (Penn State) has agreed to pay $1.25 million to settle allegations of violating the False Claims Act, stemming from its failure to meet contractual cybersecurity requirements between 2018 and 2023. The university allegedly failed to implement cybersecurity controls mandated by the Department of Defense (DoD) and NASA on 15 contracts or subcontracts. These failures included misrepresenting the implementation of specific cybersecurity controls and using a cloud service provider that did not meet DoD’s security standards for handling sensitive defense information.

In what might be the hospitality industry's most expensive case of leaving the digital door unlocked, Marriott International and its subsidiary Starwood Hotels are checking out of their security nightmare with a $52 million bill and an FTC-mandated security makeover. The settlement, announced October 9, 2024, addresses three massive data breaches affecting over 344 million guests worldwide.

The New York State Department of Financial Services (NYDFS) has issued extensive guidance addressing cybersecurity risks associated with artificial intelligence (AI) in the financial sector. Announced by Superintendent Adrienne A. Harris on October 16, 2024, this guidance marks a significant development in regulatory approaches to emerging technologies and cybersecurity.

Poland’s Personal Data Protection Office (UODO) has fined mBank more than €870,000 (4,053,173 PLN) for failing to notify customers affected by a significant data breach. The penalty, while substantial, represents just 0.0024% of the bank’s annual turnover, raising questions about the relative impact of such fines on large financial institutions.