Dec 1, 2021 | Data Breach
Data Breach Of DNA Diagnostics Center’s Network Resulting In Unauthorized Access And Acquisition Of Archived Database With Personal Information
In a press release (“DNA Diagnostics Center, Inc. Provides Notice of Data Security Incident”) on the website of the State of California Department of Justice, Office of the Attorney General, DNA Diagnostics Center, Inc. advised that “[o]n August 6, 2021, DNA Diagnostics Center, Inc. (DDC) detected potential unauthorized access to its network, during which there was unauthorized access and acquisition of an archived database that contained personal information collected between 2004 and 2012. The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. This system has never been used in DDC’s operations and has not been active since 2012.”
DDC’s press release also stated that “[t]he impacted database was associated with a national genetic testing organization that DDC has never used in its operations and has not been active since 2012. DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC.” Further, the press release stated that “[i]mpacted individuals may have had their information, such as Social Security numbers or payment information, impacted as a result.” [Emphasis added.]
Additional information about the data breach can be found by clicking “Data Security Incident Information Center,” a document also located on the California Attorney General’s website related to the data incident.
Informationsecuritybuzz.com reported that “DNA Diagnostics Center . . ., a US-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons. The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, but the firm discovered it only on October 29, 2021.” According to informationsecuritybuzz.com, the breached information includes full names, credit and debit card number (plus CVV), financial account number and and platform account password.
Have You Been Impacted by A Data Breach?
If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Nov 23, 2021 | Data Breach
Utah Imaging Associates Files Data Breach Notice With Office Of The Maine Attorney General – Data Security Incident May Have Resulted In Unauthorized Access To Sensitive Personal Information
According to the “Notice of data breach” letter located on the website of the Office of the Maine Attorney General:
On September 4, 2021, UIA [Utah Imaging Associates, Inc.] detected and stopped a network security incident. Upon discovery of this incident, UIA promptly secured and began remediating our network. UIA also engaged a specialized third-party cybersecurity firm to conduct a comprehensive investigation to determine the nature and scope of the incident. The forensic investigation has found evidence that some UIA files containing sensitive data were available to the unauthorized actor during the incident. This letter serves to notify you that it is possible the following information related to you, if provided to UIA, may have been exposed to the unauthorized party: first and last name; mailing address; date of birth; Social Security number; health insurance policy number; medical information, including, but not limited to, medical treatment, diagnosis, and prescription information. We maintained this information for patient care and administrative purposes. Notably, the types of information affected varied by individual, and not every individual had every element exposed. [Emphasis added.]
Please click UIA Notice Of Data Breach to read the full text of the data breach notification letter.
On November 22, 2021, Govinfosecurity.com reported that “[a] recent hack of a Utah medical radiology group’s network server has compromised sensitive health information of more than a half-million patients, ranking the incident among the 20 largest health data breaches posted on the federal tally so far this year.”
Govinfosecurity.com also reported that “[t]he Department of Health and Human Services’ HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, shows that UIA reported the incident on Nov. 3 as affecting nearly 584,000 individuals.”
The Maine Attorney General’s website (accessed 11/23/2021) reflects that 582,170 individuals were affected, including 51 Maine residents, during the data breach which occurred between August 29, 2021 and September 4, 2021.
Have You Been Impacted by A Data Breach?
If so, please complete the form on the right or contact Kehoe Law Firm, P.C., [email protected], for a free, no-obligation evaluation of potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Oct 19, 2021 | Data Breach
California Assembly Bill No. 825, Chapter 527, Now Specifies That Personal Information Includes Genetic Data
Kehoe Law Firm, P.C. is making consumers aware that on October 18, 2021, “The National Law Review” reported (“California Broadens Security and Breach Laws, Includes Genetic Data”) that “California recently updated both its data security and breach notice laws to include genetic data. With the passage of AB 825, the data security law now includes in the definition of ‘personal information’ genetic data. The information needs to be ‘reasonably protected.’ While many other states have similar ‘reasonable protection’ requirements in their data security laws, California is one of a handful to specifically list genetic information.”
According to Assembly Bill 825:
. . . ‘genetic data’ means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom. [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please contact Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or e-mail [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and discuss potential legal claims.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Jul 16, 2020 | Data Breach
Class Actions Allege Amazon, Google, FaceFirst, and Microsoft Unlawfully Collected, Obtained, Stored, Used, Possessed And Profited From Biometric Identifiers
On July 14, 2020, four separate, but very similar, class action complaints were filed in United States District Courts against FaceFirst, Inc. (“FaceFirst”), Google LLC (“Google”), Amazon.com, Inc. (“Amazon”), and Microsoft Corporation (“Microsoft”) alleging that said Defendants, in their efforts to improve their facial recognition technology, committed violations of the Illinois Biometric Information Privacy Act (“BIPA”) by, among other things, unlawfully collecting, obtaining, storing, using, possessing and profiting from the biometric identifiers (“namely, facial geometric scans”) and information of Plaintiffs and all other similarly situated Illinois residents and citizens (the “Class Members”).
The class action complaints against FaceFirst, Google, Amazon, and Microsoft seek (a) statutory damages of $5,000 per BIPA violation, or, alternatively, if Defendants acted negligently, $1,000 per BIPA violation, along with attorneys’ fees and costs; (b) disgorgement of Defendants’ ill-gotten gains derived from the use of the unlawfully-acquired data; and (c) an injunction (i) barring Defendants from any further use of Illinois citizens’ and residents’ biometric identifiers and information; (ii) barring Defendants from continuing to collect, obtain, store, use, possess and profit from Plaintiffs’ and Class Members’ biometric identifiers and information; and (iii) requiring Defendants to delete and destroy Plaintiffs’ and Class Members’ biometric identifiers and information.
According to the class action complaints, IBM made the “Diversity in Faces Dataset” available to the Defendants which obtained the dataset and, allegedly, used the links provided by IBM to download, copy or otherwise obtain from Flickr each photograph in the dataset, including Plaintiffs’ photographs, in order to associate the biometric identifiers and information provided by IBM with the actual photographs to which the biometric data related. Further, the Defendants, allegedly, profited from the biometric identifiers and information contained in the Diversity in Faces Dataset, because those biometric identifiers and information allowed the Defendants to improve its facial recognition products and technologies, including by allowing the Defendants to improve the effectiveness of its facial recognition technology on a diverse array of faces, thereby making those products and technologies more valuable in the commercial marketplace.
The Defendants, allegedly, never advised or informed the Plaintiffs or their legal authorized representative in writing: (a) that they collected, stored and used Plaintiffs’ biometric identifiers and information; or (b) of the specific purpose and length of term for which Plaintiffs’ biometric identifiers and information were being collected, stored and used. Additionally, the Defendants never received a written release executed by the Plaintiffs or their legally authorized representative to collect, capture, receive, obtain, store or use their biometric identifiers and information.
Do You Believe Your Biometric Information May Have Been Illegally Collected, Stored, Used, Disclosed, Transmitted Or Disseminated?
Illinois’ Biometric Information Privacy Act provides a private right of action in an Illinois state circuit court, or as a supplemental claim in federal district court, against an offending party. Among other relief, BIPA provides for liquidated damages of $1,000 or actual damages, whichever is greater, against a private entity that negligently violates a provision of BIPA, as well as liquidated damages of $5,000 or actual damages, whichever is greater, against a private entity that intentionally or recklessly violates a provision of BIPA.
If you believe your biometric data has been illegally collected, stored, used, disclosed, transmitted or disseminated, please contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected], to discuss potential legal claims.
Jun 1, 2020 | Data Breach
Certain States Have Passed, Expanded or Proposed Legislation To Regulate The Collection, Use, And Dissemination Of Biometric Information – Illinois Provides A Private Right Of Action To Recover Damages For Biometric Privacy Violations
The Illinois Biometric Information Privacy Act (“BIPA”) protects biometric identifiers, otherwise known as biometrics or biometric information. BIPA defines biometric identifier as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
According to BIPA:
The use of biometrics is growing in the business and security screening sectors and appears to promise streamlined financial transactions and security screenings.
. . .
Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
An overwhelming majority of members of the public are weary of the use of biometrics when such information is tied to finances and other personal information.
BIPA prohibits a private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s or a customer’s biometric identifier or biometric information, unless the private entity (1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
BIPA also prohibits a private entity which possesses a biometric identifier or biometric information from disclosing, redisclosing, or otherwise disseminating a person’s or a customer’s biometric identifier or biometric information unless (1) the subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject’s legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
BIPA also mandates that a private entity that possesses a biometric identifier or biometric information shall:
(1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Do You Believe Your Biometric Information May Have Been Illegally Collected, Stored, Used, Disclosed, Transmitted Or Disseminated?
Illinois’ Biometric Information Privacy Act provides a private right of action in an Illinois state circuit court, or as a supplemental claim in federal district court, against an offending party. Among other relief, BIPA provides for liquidated damages of $1,000 or actual damages, whichever is greater, against a private entity that negligently violates a provision of BIPA, as well as liquidated damages of $5,000 or actual damages, whichever is greater, against a private entity that intentionally or recklessly violates a provision of BIPA.
Source of BIPA-related information: ILGA.gov, 740 ILCS 14/1, et seq., accessed 06.01.2020; all emphasis added.
If you believe your biometric data has been illegally collected, stored, used, disclosed, transmitted or disseminated by a private entity, please contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected], to discuss potential legal claims.