Data Breaches Plague 2019

While midways often enhance visits to the seashore, 2019’s midway brings no day at the beach for protecting personally identifiable information, with 713 breaches exposing almost 40 million reported records so far this year.

CU Times leaned heavily on the statistics provided by the San Diego, Calif.-based Identity Theft Resource Center to compile this list of 2019’s most damaging breaches – at least so far.

The six-month breach total exceeds the 2018 half point’s 668 breaches and 23 million reported records exposed, but is less than 2017’s half-year total of 791. However, the approximately 39,843,711 reported records exposed midway through 2019 is almost double last year’s 22.5 million records and dwarfs 2017’s 12.4 million records at the same stage.

The breaches break down into the following industry categories:

• Banking/Credit/Financial = 44 breaches, 6.2%; 316,403 records, 0.8%
• Business = 313 breaches, 43.9%; 3,793,402 records, 9.5%
• Education = 48 breaches, 6.7%; 1,459,961 records, 3.7%
• Government/Military = 45 breaches, 6.3%; 3,426,313 records, 8.6%
• Medical/Healthcare = 263 breaches, 36.9%; 30,843,711 records, 77.4%

The ITRC defines a data breach as an incident with potential risk due to the exposure of an individual’s name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included). The ITRC currently tracks insider theft, hacking (which includes spear phishing, ransomware and skimming), data on the move, employee error/negligence/improper disposal/lost data, accidental web/internet exposure, physical theft and unauthorized access.

With no central federal data breach law, states have taken the lead, passing an increasing number of laws to protect citizens’ PII and provide speedy alerts of any breaches. All 50 states (plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands) have passed data breach notification laws; at least 19 states in 2019 are considering measures amending existing security breach laws.

Recent fines and settlements in the U.S. and Europe also strongly demonstrate breaches could carry financial penalties as well. A record $650 million minimum settlement closed out federal, state and civil action following the Equifax breach, which exposed an estimated 146 million records. According to reports, the Federal Trade Commission also endorsed an estimated $5 billion settlement with Facebook over the company’s 2018 Cambridge Analytica data compromise and other privacy slipups. Meanwhile, the U.K. Information Commissioner’s Office said it will serve hotel chain Marriott with a £99 million ($123 million) fine for a 2018 data breach.

Jonathan Bensen, chief information security officer, product management for the San Jose, Calif-based Balbix, provided some perspective. “Marriott’s data breach last year (exposing some 387 million guest records from 2014 to 2018) stands as one of the largest to occur by number of records exposed, behind Yahoo’s 2013 breach of three billion records, and First American Corp’s breach of 885 million records this year. Proactively identifying and addressing vulnerabilities is the only way to stay ahead of breaches and avoid fines from data privacy laws.”

The following are the worst U.S. data breaches in 2019, at the year’s halfway point, based mostly on the ITRC’s list of confirmed, exposed PII records. Every record exposed, whether reported or unknown, represents the disruption and upheaval of an individual somewhere, and the undermining of an organization’s infrastructure.

1. First American Data Corp.: 885 Million Records*

Brian Krebs reported the Santa Ana, Calif.-based First American, a provider of title insurance/settlement services, exposed 885 million records going back to 2003. A Washington State real estate developer alerted Krebs in mid-May that anyone knowing the URL for a valid document at the First American website could view other documents just by modifying a single digit in the link.

*The ITRC reported the records total as unknown. Nevertheless, the potential cumulative magnitude of this breach makes it hard to ignore.

1. Quest Diagnostics: 11.9 Million Records (official largest breach)

The Secaucus, N.J.-based billing collections service provider American Medical Collection Agency informed Quest Diagnostics an unauthorized user had access to AMCA’s system containing personal information from various entities. AMCA first notified Quest and Quest contractor Optum360 (for which AMCA provides billing collections services) on May 14, 2019 of potential unauthorized activity on AMCA’s web payment page, and later notified them affected files included financial data, Social Security numbers and medical information, but not laboratory test results.

According to ZDNet, several of AMCA’s corporate clients started notifying their own customers of their billing partner’s security incident. The list of affected testing laboratories included Quest Diagnostics, LabCorp (7.7 million patients), CareCentrix (500,000 patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients) and Sunrise Laboratories (undisclosed number of patients).

2. LabCorp.: 7.7 Million Records

In a U.S. Securities and Exchange Commission filing LabCorp announced it received notification by Retrieval-Masters Creditors Bureau, Inc. dba American Medical Collection Agency about unauthorized activity on AMCA’s web payment page. According to AMCA, this activity occurred between Aug. 1, 2018 and March 30, 2019 and affected systems including first and last name, birthdates, address, phone number, date of service, provider and balance information.

3. Dominion National: 2.9 Million Records

Dominion National, an insurer and administrator of dental and vision benefits, described a data security incident that possibly involved information related to members. On April 24, 2019, through its investigation of an internal alert, it determined an unauthorized party might have accessed some of its computer servers as of Aug. 25, 2010, and may have included names, addresses, email addresses, birthdates, Social Security numbers, member ID numbers, group numbers and subscriber numbers.

4. Federal Emergency Management Agency: 2.3 Million Records

On March 15, 2019, the Office of Inspector General of Department of Homeland Security issued a management alert that FEMA did not safeguard the PII of survivors of hurricanes Harvey, Irma and Maria, and of the California wildfires in 2017. The DHS maintained FEMA should only provide limited information needed to verify disaster survivors’ eligibility for the Transitional Shelter Assistance program.

5. Jobscience Inc.: 1.75 Million Records

A cyberattack on Jobscience, Inc.’s TalentPath product resulted in unauthorized third-party access to certain users’ information. The company acknowledged while the potentially affected data for any particular individual varied, the records generally included names and contact information, and in some cases information such as usernames, passwords, security questions, and Social Security, driver’s license or alien registration numbers.

6. Inmediata Health Group: 1.6 Million Records

In January 2019, Inmediata became aware some electronic health information was viewable due to a webpage setting permitting search engines to index internal webpages used for business operations. Upon discovery, the health group deactivated the website. The information potentially involved patients’ names, addresses, birthdates, gender and medical claim information, and for some Social Security numbers as well.

7. Georgia Tech: 1.3 Million Records

The Atlanta-based Georgia Institute of Technology, experiencing a data incident for the second time in less than a year, exposed the information of current and former students, faculty and staff members. The Atlanta Journal-Constitution reported Georgia Tech learned in late March an unknown outside entity accessed its central database, exposing data including names, addresses, Social Security numbers and birth dates.

8. University of Washington Medical Center (UW Medicine): 973,024 Records

“UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018,” a spokesperson said in a statement. The files contained protected health information including patients’ names and medical record numbers, plus names of the persons or entities UW Medicine shared information with and a description of the shared information (such as office visits or labs, the reason for the disclosure, i.e., mandatory reporting or screening for research studies). The files did not contain any medical records, patient financial information or Social Security numbers.

9. Oregon Department of Human Services: 645,000 Records

The Oregon Department of Human Services announced in February that it was notifying clients by mail about the compromise of their personal information, which included health information. Nine employees opened a phishing email sent to department employees on Jan. 8, 2019, providing entry to email accounts. An initial review of the incident indicated the involvement of up to two million emails.

10. CareCentrix: 500,000 Records

According to ZDNet, the breach, first reported by DataBreaches.net, took place after a hacker group compromised AMCA’s IT network and stole payment information, which it later put up for sale on dark web card marketing forums. Exposed data included names, home addresses, phone numbers, birth dates, Social Security numbers, payment card details and bank account information. AMCA officials admitted the security incident lasted eight months, from Aug. 1, 2018 to March 30, 2019.