Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label California. Show all posts

CA Delete Act: Empowering Data Privacy

Governor Gavin Newsom has enacted the California Delete Act, marking a historic step for data privacy. This law represented a big step towards giving people more control over their personal information and was passed with resounding support from the state government.

The CA Delete Act, also known as Assembly Bill 375, is set to revolutionize the way businesses handle consumer data. It grants Californians the right to request the deletion of their personal information from company databases, putting the power back in the hands of the individual.

The bill's passage is being hailed as a major win for privacy advocates. It signals a shift towards a more consumer-centric approach to data handling. According to Governor Newsom, this legislation represents a critical move towards "putting consumers in the driver’s seat when it comes to their own data."

One of the key provisions of the CA Delete Act is the requirement for businesses to conspicuously display an opt-out option on their websites, allowing users to easily request the deletion of their data. This transparency ensures that consumers are fully aware of their rights and can exercise them effortlessly.

Furthermore, the legislation includes penalties for non-compliance. Businesses that fail to comply with deletion requests within the stipulated timeframe may face fines and other legal consequences. This aspect of the bill emphasizes the seriousness with which California is approaching data privacy.

Industry experts predict that the CA Delete Act could set a precedent for similar legislation on a national and even international scale. As businesses increasingly operate in a globalized digital landscape, the demand for comprehensive data protection measures is becoming paramount.

The significance of the CA Delete Act extends far beyond California's borders. It sends a clear message about the importance of prioritizing individual privacy in the digital age. As Joseph Jerome, a privacy expert, stated, "This law will likely serve as a catalyst for other states to take a harder look at consumer privacy."

Data privacy has advanced significantly thanks to the California Delete Act. Individuals now have the power to manage their personal information, which puts more responsibility and accountability on businesses to be open and honest about how they handle customer data. This historic law is a ray of hope for those defending privacy rights in the digital age since it could influence laws comparable to those around the world.


Ransomware Actors' Recent Rhysida Attacks Highlight a Rising Threat on HealthCare Institutions

 

The threat organisation behind for the rapidly expanding Rhysida ransomware-as-a-service operation has claimed responsibility for an Aug. 19 attack that disrupted systems at Singing River Health System, one of Mississippi's leading healthcare facilities. 

The attack comes on the heels of one in August against California's Prospect Medical Holdings, which affected 16 hospitals and more than 160 clinics across the country. The extensive nature of the incident caused the Health Sector Cybersecurity Coordination Centre to issue a notice to other organisations in the industry. 

Fatal attack

The attack on Singing River impacted three hospitals and ten clinics in the system, and it is expected to solidify Rhysida's reputation as a growing threat to healthcare organisations in the United States. It's also a reminder of the growing interest in the sector from ransomware perpetrators, who pledged early in the COVID-19 outbreak not to target hospitals or other healthcare facilities. 

Check Point Software's threat intelligence group manager, Sergey Shykevich, who is tracking the Rhysida operation, says he can confirm the Rhysida group has disclosed only a small portion of data allegedly belonging to Singing River on its leak disclosure site. 

The gang has stated that it is willing to sell all of the data it has acquired from the healthcare system for 30 Bitcoin, which is approximately $780,000 at today's pricing. "We sell only to one hand, no reselling, you will be the sole owner," the group stated in a Facebook post. 

After debuting in May and quickly establishing itself as a serious threat in the ransomware world, Rhysida—named after a kind of centipede—has gained widespread attention. The group first targeted organisations in the government, managed service provider, education, manufacturing, and technology sectors. The threat group entered the healthcare industry with its attack on Prospect. 

Earlier this year, when looking into a ransomware attack on a university, Check Point first came across Rhysida. The threat actor's tactics, techniques, and procedures were examined by the security vendor, who found similarities between them and the TTPs of Vice Society, another extremely active threat actor that has been focusing on the health and education sectors since at least 2021. 

Lucrative target

The expansion of the Rhysida operation into the field of healthcare shows how significant the sector is to threat actors. Healthcare organisations offer a real gold mine of personal identity and health information that can be profited from in a variety of ways for individuals with illicit motives. 

Threat actors are also aware that health organisations are more willing to pay a ransom to bargain their way out of an attack and prevent disruptions that could impair their ability to deliver patient care.

"Attacks on healthcare providers have two main significant implications," Shykevich explained. "The hospital's ability to provide basic services to its patients and [on] the patients' sensitive data. Following such cyberattacks, the data quickly makes its way to Dark Web markets and forums." 

This attack is simply one of many ransomware and other types of incidents that have targeted healthcare organisations this year. The attacks uncovered a total of more than 41 million records in the first half of 2023 alone. According to data maintained by the Office for Civil Rights of the US Department of Health and Human Services, the organisation is now looking into more than 440 incidents that healthcare organisations reported during the first eight months of this year.

Multi-State Cyberattack Disrupts Health Care Services in Multiple States

 


One of the California organizations faced a cyberattack this week which resulted in some services being shut down at affiliated locations and some patients having to rely solely on paper records. The cyberattack disrupted hospital computer systems in several states on Friday, some emergency rooms were closed and ambulances diverted. Most primary care services remained closed, while security experts investigated that the damage was extensive. 

It was reported Thursday that a "data security incident" had taken place at Prospect Medical Holdings' facilities in this state as well as in Texas, Connecticut, Rhode Island, and Pennsylvania. These facilities are owned and operated by Prospect Medical Holdings, based in Los Angeles. Prospect Medical Holdings is based in Connecticut and operates 16 hospitals and more than 165 clinics and outpatient centres across Connecticut, Pennsylvania, Rhode Island and Southern California. Prospect Medical spokesperson was unable to provide an estimate regarding when services will resume on Saturday. At the moment, there is no indication of the number of sites affected by this system. 

As of now, the company has seven hospitals in California's Los Angeles and Orange counties. Prospect's website says the company has two behavioural health facilities and a 130-bed acute care hospital in Los Angeles. 

Connecticut hospitals, including Manchester Memorial, Rockville General and Thornwood Hospital, closed their emergency departments from Thursday morning to evening. Patients were transferred between nearby facilities. Connecticut's FBI has issued a statement stating that it is working with "all the law enforcement agencies in the state as well as the victims' entities" but was unable to go into further detail regarding the investigation in progress. 

In addition to elective surgeries and outpatient appointments, blood drives and other services, the Eastern Connecticut Health Network, which operates the facilities, also announced that many primary care services were closed on Friday. While the emergency departments reopened late Thursday, many primary care services were also shut. Upon looking at the website for this network, the website indicates that all patients have been contacted individually. 

There were ongoing technical difficulties on Eastern Connecticut Health Network's website on Saturday night, which, among other things, caused the closure of its services like outpatient medical imaging, outpatient blood draw, and others, as it is a part of the Prospect health system. In a report published by the Hartford Courant on Thursday, two hospitals that are part of the network had to divert patients from their emergency rooms.   

As hospitals digitize and upgrade their medical records to cloud-based servers, ransomware is becoming a more common form of attack, including attacks on healthcare systems. The American Hospital Association's cybersecurity adviser, John Riggi, said that cyberattacks on hospitals have become increasingly common over the past few years. 

It has been reported that Waterbury Hospital, in Waterbury, Conn., has been experiencing disruptions throughout the afternoon and evening. Furthermore, the hospital said some of its outpatient imaging, as well as outpatient surgery services, had been unavailable on Friday and Saturday as well. The company said that it will be using paper records from now on. 

On February 24, 2022, One Brooklyn Health, a hospital group that delivers health care to low-income neighbourhoods in New York, was a victim of a cyberattack that forced hospital employees to use paper records to keep track of patient information. The employees at the time of the attack said that they were a little behind on learning the new system, given that most hospitals have been using electronic records since the mid-1990s, and that some diagnostic tests were taking longer to return due to the attack.

NBC reported that commonSpirit Health, which operates over 140 hospitals and more than 700 care sites across the country, was hit by a cyberattack last year, which resulted in cancelled surgeries, cancelled doctor's appointments, and other delays in the delivery of care. In 2020, Russian hackers launched a ransomware attack against United Health Services, which is affiliated with over 400 hospitals, making it one of the largest attacks of its kind in history and one of the largest attacks in the history of cybercrime. 

Despite these alarming facts, the incident clearly illustrates the vulnerability of healthcare systems to cyberattacks. Critical services are being disrupted across several states as a result. Due to the need for robust cybersecurity measures being urgently needed, the reliance on paper records is an indication of the need. 

As a result of the outbreak of the pandemic, the healthcare sector has been exposed to an increased level of cyber threats. Keeping the data of our patients secure and ensuring the uninterrupted delivery of care in a world that is becoming more interconnected is a vital task of healthcare providers and technology partners working together.

California's Consumer Privacy Act has Been Updated

 

California's unique consumer privacy law was strengthened on January 1 as a result of a ballot initiative that 2020 voters endorsed. A new privacy law that puts new requirements on companies to make sure that employees have more authority over the gathering and utilization of their personal data takes effect this year.

What does California's Consumer Privacy Act imply?

In June 2018, Governor Brown signed the California Consumer Privacy Act (CCPA) into law. A ground-breaking piece of legislation, it imposes requirements on California businesses regarding how they acquire, use, or disclose Californians' data and gives the people of California a set of data rights equal to those found in Europe.

The California Privacy Rights Act (CPRA), which amends the historic California CCPA by extending its protections to staff, job seekers, and independent contractors, will go into effect on January 1, 2023, and firms that employ California residents must ensure they have taken the necessary steps to comply by that date.

An updated version of CCPA

Residents of California can ask for their data to be updated, destroyed, or not sold as a result. These standards now also apply to employers for the first time.

If you've noticed those boxes at the bottom of almost every website asking about your preferences for data privacy, you know the California privacy legislation has a significant impact. Employment lawyer Darcey Groden of Fisher Phillips predicts that it will also apply to employers.

While many businesses have the infrastructure in place to deal with customer data, attorney Darcey Groden noted that the employment connection is significantly more complex. In the job situation, there is just a lot of data that is continually being collected.

In most cases, you will need to account for your human resources file, health information, emails, and surveillance footage. This law is exceedingly intricate and it will be expensive to adhere to it. According to Zoe Argento, it will be particularly difficult for businesses that do not deal with consumers, for instance, businesses in the manufacturing and construction industries.

Companies with many employees and gathering a lot of data, like gig platforms, could also be significantly impacted. They normally do not have a privacy department, so this is quite new to them. Increased accountability around how some platforms use worker data to design their algorithm may result from more transparency.




State Bar of California's Confidential Details Leaked by a Website

 

The State of Bar California is inspecting a data attack after hearing that a site is publishing sensitive information about 260,000 attorney discipline cases pertaining to California and different jurisdictions. State Bar officials came to know about the posted records on Feb 24 on Saturday night, all the sensitivity details that were posted on the site judyrecords.com, that includes case numbers, information about various cases and statuses, respondents, file dates, and witness names that were removed. 

State Bar executive Leah Wilson in a statement said that the bar apologizes for the site's unauthorized display of personal data. The bar takes full responsibility for protecting confidential data with sincerity, and it is currently doing everything it can to resolve the issue quickly and protect respondents from further attacks. 

According to reports, full case records were not leaked, as per officials, they don't know if the published information was due to a hacking attack. Judyrecords.com is a site that covers court case records nationwide. 

The State Bar website lets the public search for case details, but the details about the attorney discipline case published by judyrecords.com are not meant for public access. The information was stored in State Bar's Odyssey case management system, which is given by vendor Tyler Technologies. 

As per the California Business and Professions Code, disciplinary investigations are confidential filing of formal charges. The conclusion of the data breach is that the State Bar notified law enforcement and asked forensic expert teams to inspect the issue. Tyler Technologies is currently assisting in the inquiry. 

Besides this, the state bar also asked the hosting provider of the website to take down the published information. Judyrecords website says, "Judyrecords is a 100% free nationwide search engine that lets you instantly search hundreds of millions of United States court cases and lawsuits. Judy records have over 100x more cases than Google Scholar and 10x more cases than PACER, the official case management system of the United States federal judiciary. As of Dec 2021, Judy records now features the free full-text search of all United States patents from 1/1/1976 to 11/10/2021 — over 7.9 million patents in total."