Malware Attack Leads Breach Roundup59,000 Clients of L.A. Gay & Lesbian Center Affected
In this week's breach roundup, a malware attack potentially affected 59,000 clients of the L.A. Gay & Lesbian Center. Also, Kaiser Permanente Anaheim Medical Center is notifying 49,000 patients about a missing flash drive.
See Also: The Global State of Online Digital Trust
Malware Attack Affects 59,000
The L.A. Gay & Lesbian Center, which provides healthcare and other services, is notifying about 59,000 current and former clients that their information may have been exposed as a result of a malware attack.
The attack, which occurred between Sept. 17 and Nov. 8, involved malware designed to collect personal information, the Los Angeles-based center said in an online statement. Information potentially exposed may include name, contact information, credit card information, healthcare information, Social Security number, date of birth and health insurance account number.
Affected patients are being offered a year's worth of free credit monitoring services. The center is continuing to work with law enforcement officials on the investigation.
"After learning of the attack, we took immediate steps to further safeguard the information currently on our servers and, though no organization can ever be assured that its data is 100 percent protected, we are working with data security and technology experts to guard against future attacks," says Lorri Jean, CEO of the center.
Hospital Reports Missing Flash Drive
Kaiser Permanente Anaheim (Calif.) Medical Center is notifying 49,000 patients that a flash drive containing patient information is missing from its nuclear medicine department.
The drive, which was not encrypted or password protected, was reported missing from an isolated area of the medical center that requires a security badge for entry, according to an online statement.
Compromised information includes name, date of birth, medical record number and the type and amount of a specific medication.
The information on the drive can only be accessed with specific database management software, the hospital says.
"We have no information to suggest that the flash drive was stolen or used for fraudulent purposes," the statement says. Patients are being asked to review their insurance statements to ensure no fraudulent use of their medical information has taken place.
13 Hackers Plead Guilty in PayPal Attack
Thirteen defendants who were participants in the Anonymous hacktivist group pleaded guilty in federal court to charges related to their involvement in a cyber-attack against PayPal's website in 2010.
The defendants admitted to carrying out a distributed-denial-of-service attack against PayPal in December 2010, according to the U.S. Attorney's Office for the Northern District of California.
Anonymous' attack against PayPal came about after the online payments service terminated the donation account for WikiLeaks after the infamous whistleblower website released a large amount of U.S. State Department cables, the U.S. attorney says.
With the exception of one, the defendants pleaded guilty to one felony count of conspiracy and one misdemeanor count of intentional damage to a protected computer, prosecutors say. One defendant also pleaded guilty to one misdemeanor count of reckless damage to a protected computer and two defendants were permitted to plead guilty to one misdemeanor count each of intentional damage to a protected computer, according to prosecutors. One of the defendants also pleaded guilty to executing a DDoS attack against the Santa Cruz County Web server.
The maximum statutory penalty for each felony conspiracy count is five years imprisonment and a $250,000 fine. For each felony count of intentional damage to a protected computer, the maximum statutory penalty is 10 years imprisonment and a $250,000 fine. For each misdemeanor count of intentional damage to a protected computer, the maximum statutory penalty is one year in prison and a $100,000 fine. Each misdemeanor count of reckless damage to a protected computer carries a maximum statutory penalty of one year in prison and a $100,000 fine.
Transplant Patients Affected by Breach
Houston Methodist Hospital is notifying 1,300 transplant patients about a breach after an encrypted laptop and some paper files were stolen.
Potentially compromised information includes names, Social Security numbers, dates of birth and some medical information for transplant patients, according to a statement provided to Information Security Media Group.
Impacted patients are being offered one year of free identity theft protection services, the statement says.
"We sincerely apologize for this incident and we are doing everything we can to protect our patients' private information," the statement says. "After we were notified of the theft, we immediately contacted the Houston Police Department and we are performing a comprehensive investigation."
The incident has also been reported to the Department of Health and Human Services.