Dec 28, 2021 | Data Breach
Ransomware Group Reportedly Targets Shutterfly
On December 27, 2021, ZDNet.com reported that “Shutterfly reported a ransomware attack on Sunday [December 26, 2021].” The incident was first reported by Bleeping Computer, which said a source told them the company was attacked by the Conti ransomware group.” ZDNet.com reported that “[i]n a statement, the company said portions of the Lifetouch and BorrowLenses business were affected. They experienced interruptions with Groovebook, manufacturing offices, and some corporate systems as well.”
Shutterfly, according to the ZDNet.com report, is “assessing the full scope of any data that may have been affected,” and Shutterfly does “not store credit card, financial account information, or the Social Security numbers of [its] Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in [the] incident.”
Reportedly, Another, But Smaller, Data Breach Suffered By T-Mobile
On December 28, 2021, Cnet.com reported that “[o]n the delayed heels of its huge data breach in August, the T-Mo Report brings news . . . of another possible data breach. This one seems to impact a smaller group of customers who received notifications of ‘unauthorized activity’ on accounts consisting of customer proprietary network information or a physical SIM swap (or both), according to the site.”
According to Cnet.com, Customer Proprietary Network Information “. . . consists of all the data T-Mobile has about your phone calls, which according to the carrier [are] ‘features of your voice calling service (e.g., international calling), usage information (like call logs—including date, time, phone numbers called, and duration of calls), and quantitative data like minutes used.’ It doesn’t contain any billing-related information like names or addresses.”
Additionally, according to Cnet.com, “[a]n unapproved physical SIM swap allows someone else to take over your phone number, and if they have your password, to potentially gain access to accounts linked to it — such as if you use text for multifactor authentication.”
For additional information on protecting your identity from a SIM-swap scam, please click the CNet.com article, “T-Mobile data breach and SIM-swap scam: How to protect your identity.”
Have You Been Impacted by A Data Breach?
If so, please complete the form on the right or contact Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Dec 28, 2021 | Data Breach
Florida Digestive Health Specialists Suffers Data Security Incident Involving Protected Health Information
In a December 27, 2021 “Notice of Data Breach,” Florida Digestive Health Specialists, LLP (“FDHS”) notified consumers that “[o]n December 16, 2020, an employee noted suspicious activity within their FDHS email account that resulted in suspicious emails having been sent from their employee account. Several days later, on December 21, 2020, FDHS learned that funds had been misrouted to an unknown bank account.”
The “Notice of Data Breach” stated that its investigation of the data breach “. . . found that a limited number of FDHS employee email accounts had been accessed by unauthorized users. [The] investigation was involved and, though access was confined to a limited number of FDHS email accounts, those accounts were voluminous. FDHS investigated those email accounts to determine what information was found in those accounts, whether it constituted personal information, protected health information, or other confidential information, and to whom that information belonged. This process took a considerable amount of time and only concluded on November 19, 2021.”
According to the data breach notice, “[t]he categories of PHI present in the posted data set include . . . first and last name, address, date of birth, Social Security number, financial information, health insurance information, medical information, diagnosis, health insurance individual policy number, and Medicare/Medicaid information.” [Emphasis added.]
The total number of persons affected, according to the Office Of The Maine Attorney General, is 212,509.
Source: Office Of The Maine Attorney General
Have You Been Impacted by A Data Breach?
If so, please complete the form on the right or contact Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Dec 21, 2021 | Blog, Data Breach
Southern Orthopaedic Associates, D/B/A Orthopaedic Institute of Western Kentucky, Suffers Data Breach
Southern Orthopaedic Associates, d/b/a Orthopaedic Institute of Western Kentucky (“Southern Orthopaedic” or “SOA”), recently filed a Data Breach Notification with the Office Of The Maine Attorney General.
SOA’s notification of the data event stated, among other things, that
[o]n or about July 8, 2021, SOA became aware of suspicious activity relating to an employee email account. SOA immediately launched an investigation to determine what may have happened. Working together with an outside computer forensics specialist, SOA determined that an unauthorized individual accessed several employee email accounts between June 24, 2021 and July 8, 2021. Because SOA was unable to determine which email messages in the accounts may have been viewed by the unauthorized actor, SOA reviewed the entire contents of the affected email accounts to identify what personal information was accessible to the unauthorized actor. This review was complete by October 21, 2021. After identifying the individuals who may have been impacted, [Southern Orthopaedic] worked to confirm current mailing addresses for the impacted individuals and prepare an accurate written notice of this incident.
The information that could have been subject to unauthorized access includes name, and Social Security Number. [Emphasis added.]
A copy of SOA’s notification of the data event can be viewed by clicking “Nature of the Data Event.”
Have You Been Impacted by A Data Breach?
If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Dec 20, 2021 | Blog, Data Breach
Texas ENT Specialists – Hacking/IT Incident Affects More Than 530,000 Individuals
The U.S. Department of Health and Human Services, Office for Civil Rights, Breach Portal, reflects that Texas ENT Specialists, a healthcare provider, reported a data breach of its network server.
The company’s “Notice of Security Incident” stated that “[o]n October 19, 2021, Texas ENT learned that files containing patient information were subject to unauthorized access during a data security incident. With assistance from a third-party cybersecurity firm, [Texas ENT] determined that unauthorized parties gained access to our computer systems and took copies of Texas ENT files between August 9, 2021 and August 15, 2021. [Texas ENT] carefully reviewed those files and determined they contained patient names, dates of birth, medical record numbers, and procedure codes used for billing purposes. A limited number of files also contained patient Social Security numbers. Importantly, there was no unauthorized access to Texas ENT’s electronic medical records system.” [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Dec 18, 2021 | Blog, Data Breach
Online Retailers Tackle Warehouse LLC, Running Warehouse LLC, Skate Warehouse LLC & Tennis Warehouse LLC Hacked – Customer Personal And Financial Data Information Stolen
The Office Of The Maine Attorney General’s online data breach notification portal reflects that 1,813,224 individuals, including Maine residents, were affected by an external system hacking data breach of four online sports equipment retail websites, which resulted in the acquisition of customer names or other personal identifiers in combination with financial account numbers, credit/debit card numbers (in combination with security code, access code, password or account PIN).
The data breach occurred on October 1, 2021, and was discovered on November 29, 2021.
Class Action Lawsuit Filed Against Wilderness Sports Warehouse, LLC, d/b/a Tackle Warehouse; Running Warehouse, LLC; Sports Warehouse, Inc., d/b/a Tennis Warehouse; & Skate Warehouse, LLC
On January 11, 2022, a class action lawsuit was filed in United States District Court for the Middle District of Georgia against the aforementioned online retailers for their alleged failure to properly secure and safeguard highly-valuable, protected Personally Identifiable Information (“PII”), including, without limitation, names, addresses, credit card and debit card numbers, expiration dates, and CV codes; alleged failure to comply with industry standards to protect information systems that contain PII; and alleged failure to provide adequate and prompt notice to Plaintiff and other Class Members that their PII had been accessed and compromised.
The complaint alleges that the named Defendants knew, or should have known, the importance of safeguarding the PII entrusted to Defendants and of the foreseeable consequences if its data security systems were breached. According to the complaint, the Defendants failed, however, to take adequate cyber security measures to prevent the data breach from occurring.
Have You Been Harmed By A Data Breach?
If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Dec 15, 2021 | Blog, Data Breach
Company’s Data Breach Potentially Impacted 750,000 Patients And 522 Current/Former Oregon Anesthesiology Group Employees
In a December 6, 2021 Notice of Data Breach, Oregon Anesthesiology Group, P.C. (“OAG”) stated that OAG “. . . experienced a cyberattack on July 11, [2021] after which [OAG was] briefly locked out of [its] servers.”
The data breach notice stated that
[o]n October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in [OAG’s] third-party firewall, enabling the hackers to gain entry to the network. According to the cyber forensics report obtained by OAG in late November, the cybercriminals, once inside, were able to data-mine the administrator’s credentials and access OAG’s encrypted data.
Patient information potentially involved in this incident included names, addresses, date(s) of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers. OAG does not store patients’ full medical records or their Social Security or credit card numbers, and these data were not involved. The cybercriminals also potentially accessed current and former OAG employee data, including names, addresses, Social Security numbers and other details from W-2 forms on file.
OAG also stated in its data breach notice that “[t]he data breach potentially impacted about 750,000 patients and 522 current and former OAG employees.” [All emphasis added.]
Have You Been Impacted By A Data Breach?
If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
