Microsoft Blamed For Million-Plus Patient Record Theft At US Hospital Giant

Brandon Vigliarolo reports via The Register: American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen — and claimed a former employee at a Microsoft subsidiary is the likely culprit. Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees’ access to corporate files after that person was fired. The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We’re told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients — for reasons as yet unknown.

Geisinger — which says it operates 13 hospitals and has more than 600,000 members — said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group’s data before involving police. “Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now,” Geisinger claimed, explaining why only now this is coming to light. “The former Nuance employee has been arrested and is facing federal charges.” It’s not immediately clear if or what charges have been laid — we’ve asked Geisinger for details.

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn’t swipe insurance or other financial information, the multi-billion-dollar healthcare group stated. “We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges,” Geisinger chief privacy officer Jonathan Friesen alleged, adding: “I am sorry that this happened.”

Read more of this story at Slashdot.

New York Times Source Code Stolen Using Exposed GitHub Token

The New York Times has confirmed that its internal source code was leaked on 4chan after being stolen from the company’s GitHub repositories in January 2024. BleepingComputer reports: As first seen by VX-Underground, the internal data was leaked on Thursday by an anonymous user who posted a torrent to a 273GB archive containing the stolen data. “Basically all source code belonging to The New York Times Company, 270GB,” reads the 4chan forum post. “There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar.”

While BleepingComputer did not download the archive, the threat actor shared a text file containing a complete list of the 6,223 folders stolen from the company’s GitHub repository. The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game. A ‘readme’ file in the archive states that the threat actor used an exposed GitHub token to access the company’s repositories and steal the data. The company said that the breach of its GitHub account did not affect its internal corporate systems and had no impact on its operations. The Times said in a statement to BleepingComputer: “The underlying event related to yesterday’s posting occurred in January 2024 when a credential to a cloud-based third-party code platform was inadvertently made available. The issue was quickly identified and we took appropriate measures in response at the time. There is no indication of unauthorized access to Times-owned systems nor impact to our operations related to this event. Our security measures include continuous monitoring for anomalous activity.”

Read more of this story at Slashdot.

Cooler Master Hit By Data Breach Exposing Customer Information

Computer hardware manufacturer Cooler Master has confirmed that it suffered a data breach on May 19 after a threat actor breached the company’s website, stealing the Fanzone member information of 500,000 customers. BleepingComputer reports: [A] threat actor known as ‘Ghostr’ told us they hacked the company’s Fanzone website on May 18 and downloaded its linked databases. Cooler Master’s Fanzone site is used to register a product’s warranty, request an RMA, or open support tickets, requiring customers to fill in personal data, such as names, email addresses, addresses, phone numbers, birth dates, and physical addresses. Ghostr said they were able to download 103 GB of data during the Fanzone breach, including the customer information of over 500,000 customers.

The threat actor also shared data samples, allowing BleepingComputer to confirm with numerous customers listed in the breach that their data was accurate and that they recently requested support or an RMA from Cooler Master. Other data in the samples included product information, employee information, and information regarding emails with vendors. The threat actor claimed to have partial credit card information, but BleepingComputer could not find this data in the data samples. The threat actor now says they will sell the leaked data on hacking forums but has not disclosed the price. Cooler Master said in a statement to BleepingComputer: “We can confirm on May 19, Cooler Master experienced a data breach involving unauthorized access to customer data. We immediately alerted the authorities, who are actively investigating the breach. Additionally, we have engaged top security experts to address the breach and implement new measures to prevent future incidents. These experts have successfully secured our systems and enhanced our overall security protocols. We are in the process of notifying affected customers directly and advising them on next steps. We are committed to providing timely updates and support to our customers throughout this process.”

Read more of this story at Slashdot.

13.4 Million Kaiser Insurance Members Affected by Data Leak to Online Advertisers

Kaiser Permanente is the latest healthcare giant to report a data breach. Kaiser said 13.4 million current and former insurance members had their patient data shared with third-party advertisers, thanks to an improperly implemented tracking code the company used to see how its members navigated through its websites. Dark Reading reports: The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company’s online health encyclopedia. Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn’t a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

“The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space,” he explains. “Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome — an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue.”

Read more of this story at Slashdot.

Ring Customers Get $5.6 Million In Refunds In Privacy Settlement

The FTC is issuing more than $5.6 million in refunds to Ring customers as part of a privacy settlement. The Associated Press reports: In a 2023 complaint, the FTC accused the doorbell camera and home security provider of allowing its employees and contractors to access customers’ private videos. Ring allegedly used such footage to train algorithms without consent, among other purposes. Ring was also charged with failing to implement key security protections, which enabled hackers to take control of customers’ accounts, cameras and videos. This led to “egregious violations of users’ privacy,” the FTC noted.

The resulting settlement required Ring to delete content that was found to be unlawfully obtained, establish stronger security protections and pay a hefty fine. The FTC says that it’s now using much of that money to refund eligible Ring customers. According to a Tuesday notice, the FTC is sending 117,044 PayPal payments to impacted consumers who had certain types of Ring devices — including indoor cameras — during the timeframes that the regulators allege unauthorized access took place. Eligible customers will need to redeem these payments within 30 days, according to the FTC — which added that consumers can contact this case’s refund administrator, Rust Consulting, or visit the FTC’s FAQ page on refunds for more information about the process.

Read more of this story at Slashdot.

96% of US Hospital Websites Share Visitor Info With Meta, Google, Data Brokers

An anonymous reader quotes a report from The Guardian: Hospitals — despite being places where people implicitly expect to have their personal details kept private — frequently use tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties, according to research published today. Academics at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals — essentially traditional hospitals with emergency departments — and their findings were that 96 percent of their websites transmitted user data to third parties. Additionally, not all of these websites even had a privacy policy. And of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information.

The researchers’ latest work builds on a study they published a year ago of 3,747 US non-federal hospital websites. That found 98.6 percent tracked and transferred visitors’ data to large tech and social media companies, advertising firms, and data brokers. To find the trackers on websites, the team checked out each hospitals’ homepage on January 26 using webXray, an open source tool that detects third-party HTTP requests and matches them to the organizations receiving the data. They also recorded the number of third-party cookies per page. One name in particular stood out, in terms of who was receiving website visitors’ information. “In every study we’ve done, in any part of the health system, Google, whose parent company is Alphabet, is on nearly every page, including hospitals,” [Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania] observed. “From there, it declines,” he continued. “Meta was on a little over half of hospital webpages, and the Meta Pixel is notable because it seems to be one of the grabbier entities out there in terms of tracking.”

Both Meta and Google’s tracking technologies have been the subject of criminal complaints and lawsuits over the years — as have some healthcare companies that shared data with these and other advertisers. In addition, between 20 and 30 percent of the hospitals share data with Adobe, Friedman noted. “Everybody knows Adobe for PDFs. My understanding is they also have a tracking division within their ad division.” Others include telecom and digital marketing companies like The Trade Desk and Verizon, plus tech giants Oracle, Microsoft, and Amazon, according to Friedman. Then there’s also analytics firms including Hotjar and data brokers such as Acxiom. “And two thirds of hospital websites had some kind of data transfer to a third-party domain that we couldn’t even identify,” he added. Of the 71 hospital website privacy policies that the team found, 69 addressed the types of user information that was collected. The most common were IP addresses (80 percent), web browser name and version (75 percent), pages visited on the website (73 percent), and the website from which the user arrived (73 percent). Only 56 percent of these policies identified the third-party companies receiving user information. In lieu of any federal data privacy law in the U.S., Friedman recommends users protect their personal information via the browser-based tools Ghostery and Privacy Badger, which identify and block transfers to third-party domains.

Read more of this story at Slashdot.

Four Baseball Teams Now Let Ticket-Holders Enter Using AI-Powered ‘Facial Authentication’

“The San Francisco Giants are one of four teams in Major League Baseball this season offering fans a free shortcut through the gates into the ballpark,” writes SFGate.

“The cost? Signing up for the league’s ‘facial authentication’ software through its ticketing app.”

The Giants are using MLB’s new Go-Ahead Entry program, which intends to cut down on wait times for fans entering games. The pitch is simple: Take a selfie through the MLB Ballpark app (which already has your tickets on it), upload the selfie and, once you’re approved, breeze through the ticketing lines and into the ballpark. Fans will barely have to slow down at the entrance gate on their way to their seats…

The Philadelphia Phillies were MLB’s test team for the technology in 2023. They’re joined by the Giants, Nationals and Astros in 2024…

[Major League Baseball] says it won’t be saving or storing pictures of faces in a database — and it clearly would really like you to not call this technology facial recognition. “This is not the type of facial recognition that’s scanning a crowd and specifically looking for certain kinds of people,” Karri Zaremba, a senior vice president at MLB, told ESPN. “It’s facial authentication. … That’s the only way in which it’s being utilized.”

Privacy advocates “have pointed out that the creep of facial recognition technology may be something to be wary of,” the article acknowledges. But it adds that using the technology is still completely optional.

And they also spoke to the San Francisco Giants’ senior vice president of ticket sales, who gushed about the possibility of app users “walking into the ballpark without taking your phone out, or all four of us taking our phones out.”

Read more of this story at Slashdot.

Over 15,000 Roku Accounts Sold To Buy Streaming Subscriptions, Devices

Over 15,000 Roku customers were hacked and used to make fraudulent purchases of hardware and streaming subscriptions. According to BleepingComputer, the threat actors were “selling the stolen accounts for as little as $0.50 per account, allowing purchasers to use stored credit cards to make illegal purchases.” From the report: On Friday, Roku first disclosed the data breach, warning that 15,363 customer accounts were hacked in a credential stuffing attack. A credential stuffing attack is when threat actors collect credentials exposed in data breaches and then attempt to use them to log in to other sites, in this case, Roku.com. The company says that once an account was breached, it allowed threat actors to change the information on the account, including passwords, email addresses, and shipping addresses. This effectively locked a user out of the account, allowing the threat actors to make purchases using stored credit card information without the legitimate account holder receiving order confirmation emails.

“It appears likely that the same username/password combinations had been used as login information for such third-party services as well as certain individual Roku accounts,” reads the data breach notice. “As a result, unauthorized actors were able to obtain login information from third-party sources and then use it to access certain individual Roku accounts. “After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions.” Roku says that it secured the impacted accounts and forced a password reset upon detecting the incident. Additionally, the platform’s security team investigated for any charges due to unauthorized purchases performed by the hackers and took steps to cancel the relevant subscriptions and refund the account holders.

A researcher told BleepingComputer last week that the threat actors have been using a Roku config to perform credential stuffing attacks for months, bypassing brute force attack protections and captchas by using specific URLs and rotating through lists of proxy servers. Successfully hacked accounts are then sold on stolen account marketplaces for as little as 50 cents, as seen below where 439 accounts are being sold. The seller of these accounts provides information on how to change information on the account to make fraudulent purchases. Those who purchase the stolen accounts hijack them with their own information and use stored credit cards to purchase cameras, remotes, soundbars, light strips, and streaming boxes. After making their purchases, it is common for them to share screenshots of redacted order confirmation emails on Telegram channels associated with the stolen account marketplaces.

Read more of this story at Slashdot.

License Plate-Scanning Company Violates Privacy of Millions of California Drivers, Argues Class Action

“If you drive a car in California, you may be in for a payday thanks to a lawsuit alleging privacy violations by a Texas company,” report SFGate:

The 2021 lawsuit, given class-action status in September, alleges that Digital Recognition Network is breaking a California law meant to regulate the use of automatic license plate readers. DRN, a Fort Worth-based company, uses plate-scanning cameras to create location data for people’s vehicles, then sells that data to marketers, car repossessors and insurers.

What’s particularly notable about the case is the size of the class. The court has established that if you’re a California resident whose license plate data was collected by DRN at least 15 times since June 2017, you’re a class member. The plaintiff’s legal team estimates that the tally includes about 23 million people, alleging that DRN cameras were mounted to cars on public roads. The case website lets Californians check whether their plates were scanned.

Barring a settlement or delay, the trial to decide whether DRN must pay a penalty to those class members will begin on May 17 in San Diego County Superior Court…

The company’s cameras scan 220 million plates a month, its website says, and customers can use plate data to “create comprehensive vehicle stories.”

A lawyer for the firm representing class members told SFGATE Friday that his team will try to show DRN’s business is a “mass surveillance program.”

Read more of this story at Slashdot.