Archive for June, 2017
Data breach litigation continues to fill the courts in all stages, with a new class action filed against Tempur Sealy International and the dismissal of a suit against Barnes Noble.
In the new action, New York resident Michelle Provost claims that Tempur Sealy (and Aptos Inc., the company’s website host) failed to appropriately safeguard customers’ personal information. The defendants’ poor data security practices and decision not to abide by best practices and industry standards resulted in a February 2016 breach that compromised sensitive consumer data, including names, addresses, email addresses, telephone numbers, and payment card account numbers and expiration dates, the plaintiff alleged.
“Defendants allowed widespread and systematic theft of their customers’ personal information,” according to the complaint. “Defendants’ actions did not come close to meeting the standards of commercially reasonable steps that should be taken to protect customers’ personal information.”
The defendants also waited too long to disclose the extent of the breach and notify affected consumers in a timely manner, Provost claimed. She used her debit card to make two purchases from the Tempur Sealy website in 2016, but when she reviewed her bank statements after being notified of the breach, she found at least one fraudulent charge that was incurred after the hack occurred.
Aptos became aware of the breach in November 2016 but held off informing Tempur Sealy until February 2017 (upon the instructions of law enforcement). Tempur Sealy didn’t give its customers a heads-up until April 2017, and neither defendant has yet to disclose the full extent of the breach, Provost added.
Asserting claims against the defendants for violations of state consumer protection statutes, state data breach statutes, negligence, breach of implied contract and unjust enrichment, the action seeks to recover actual and statutory damages as well as injunctive relief to prevent another breach, including an order requiring the defendants to implement and maintain adequate security measures.
In a separate action, Barnes Noble was able to dodge consolidated litigation based on similar claims after hackers stole customer credit and debit information from PIN pad terminals in 63 stores in nine states in September 2012. The court dismissed the first two complaints for lack of standing and failure to plead a viable claim, respectively.
The plaintiffs’ third effort was not the charm, despite the fact that they dropped some claims and added factual allegations about their injuries, namely that one had her bank account put on hold, had to spend time with police and bank employees sorting out her financial affairs, lost the value of her personally identifiable information (PII), and suffered emotional distress because she had to renew her credit monitoring service to protect against future fraud.
But U.S. District Court Judge Andrea R. Wood was not persuaded that the updated complaint alleged economic or out-of-pocket damages caused by the data breach, as required by the breach of contract, Illinois Consumer Fraud and Deceptive Business Practices Act, and California Unfair Competition Act claims.
“Plaintiffs’ alleged injuries as to the value of their PII, their time spent with bank and police employees, and any emotional distress they might have suffered are not injuries sufficient to state a claim,” the court said. “In a similar vein, Plaintiffs’ temporary inability to use their bank accounts is also insufficient to state a claim—the temporary inability to use a bank account is not a monetary injury in itself, and Plaintiffs have not set forth any allegations about how they suffered monetary injury due to the inconvenience of not being able to access their accounts.”
Cellphone minutes lost speaking to bank employees were a de minimis cost and too attenuated from Barnes Noble’s conduct to qualify as a redressable injury, the court added. As for the plaintiff’s renewal of her credit monitoring service, she failed to plausibly allege that the purchase was attributable to the breach, the court said. The plaintiff alleged that the data breach only played a part in her decision to renew the service, “and thus this alleged injury is still insufficient to state a claim.”
Granting the defendant’s motion to dismiss, Judge Wood said further opportunities for amendments to the complaint “would be futile,” dismissing the suit with prejudice.
To read the complaint in Provost v. Aptos, Inc., click here.
To read the order in In re Barnes Noble Pin Pad Litigation, click here.
Why it matters: The cases demonstrate the challenges facing data breach cases—the difficulties of establishing standing as well as stating a viable claim, as found in the Barnes Noble litigation. Despite these uphill battles, plaintiffs (like those in the suit against Tempur Sealy) continue to file class actions.
A June 28 article in Bloomberg BNA’s Privacy Law Watch and other publications, “Anthem Class Suit Highlights Data Breach Risks,” reported that Anthem Inc.’s recent $115 million settlement to resolve a 2015 data breach shows that healthcare companies that experience data breaches need to prepare for more than just federal government penalties. Day Pitney healthcare attorney Eric Fader was quoted in the article.
Eric told Bloomberg BNA that healthcare providers and insurers hit by data breaches now have to worry about not only investigations and enforcement actions by the Department of Health and Human Services’ Office for Civil Rights, but also state attorneys general and plaintiffs’ lawyers. “I have no doubt that we’ll be seeing more of these class-action suits and settlements as data breaches continue to proliferate,” Eric said.
Eric also expressed surprise that there haven’t been more private lawsuits in the nearly three years since the Connecticut Supreme Court ruled that HIPAA does not preempt negligence and breach of confidentiality claims in state courts, as discussed here.
Leslie A. Pappas
The Delaware House has moved legislation that would strengthen the state’s data breach
The bill would require any person doing business in Delaware to safeguard personal
information. It would expand the definition of personal information to include medical
information, biometric data, user names and passwords, passport numbers, routing numbers
to accounts, and individual taxpayer identification numbers.
The bill would also add a new requirement that companies notify the state attorney
general of breaches affecting more than 500 residents.
The bill brings clarity to the rules for businesses that hold personal information
and balances their needs with increased protections for Delaware residents, William
R. Denny, privacy partner at Potter Anderson Corroon LLP, in Wilmington, Del., who
was involved in drafting the measure on behalf of the Delaware State Bar Association,
told Bloomberg BNA June 29.
Delaware’s law on data breaches hasn’t changed since 2005 and is “in dire need of
an update,” he said.
The bill would also require companies to provide a year of identity theft protection
services to any Delaware resident whose Social Security number is compromised in a
security breach. If passed, Delaware would become the third state in the country,
after California and Connecticut, to enact such a measure, Denny said.
Creating a uniform policy “is one of the hallmarks of the bill,” Rep. Paul Baumbach
(D), the bill’s sponsor, told Bloomberg BNA when the measure was first introduced
Baumbach said that he expects a Senate vote June 30, the last day of the legislative
session. Gov. John Carney (D) supports the measure and is expected to sign it, the
governor’s office told Bloomberg BNA June 29.
Data Breach Bill Changes
The bill would apply to any legal or commercial entity in the state that uses personal
information, unless the company is part of an industry already covered by more stringent
data protection measures under state or federal law, such as the health care and finance
industries, Baumbach said.
The bill would also:
- tweak the definition of personal information to include biometric data, user names
and passwords, individual taxpayer identification numbers;
- add a clear timeline for notification, requiring business owners investigate and
notify consumers of a data breach within 60 days; and
- clarify the risk-of-harm analysis, obligating businesses to notify consumers of a
security breach unless an investigation shows the breach is unlikely to result in
The House June 28 voted 37-3 to approved an amended substitute version of the bill,
House Substitute 1 for House Bill 180, which revised some terminology to reflect input from a wide group of stakeholders.
Stakeholders included Delaware’s Department of Justice and Department of Technology
and Information, the governor’s office, small business groups, and an industry coalition
of companies that use consumer data, including Facebook Inc., Alphabet Inc.’s Google,
Amazon.com Inc., Comcast Corp., and Verizon Communications Inc., Denny said.
To contact the reporter on this story: Leslie A. Pappas in Philadelphia at
To contact the editor responsible for this story: Donald Aplin at
For More Information
House Bill 108 (revised version) is at
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
Article source: https://www.bna.com/delaware-house-moves-n73014461026/
The Government Digital Service (GDS) has told users to change their passwords following a security breach affecting one of its websites.
During a routine security review, GDS found that it had left a clutch of usernames and email addresses on a publicly accessible system.
A spokesperson for the Cabinet Office said: “During a routine review of data.gov.uk, it was discovered that a file containing some users’ names, emails and hashed passwords was publicly accessible on a third-party system.” The hashed passwords mean they’re scrambled and therefore harder to crack.
Data.gov.uk helps users to find information published by government departments and agencies, public bodies and local authorities. The data is used to help people to learn more about how the government works, carry out research and to build applications or services based on the data.
The spokesperson added that it was very recently discovered and action was taken to notify users and the UK’s data watchdog, the Information Commissioner’s Office, as soon as possible. The breach affects users who signed up to data.gov.uk on or before 20 June 2015.
“There is no evidence of misuse of anyone’s credential and users have been asked to reset their passwords purely as a precautionary measure,” said the spokesperson.
Anthem has reached a $115 million deal to settle a class-action lawsuit over a 2015 data breach in which hackers stole personal information from 78.8 million employees and current and former members.
The settlement is the largest data-breach settlement ever. As part of the deal, Anthem will offer two years of credit protection to those affected—in addition to the two years of monitoring they already received—and will set aside funding for cybersecurity improvements, including modifying its current cybersecurity systems. It will also set aside $15 million to pay plaintiffs for out-of-pocket costs due to the breach.
The deal comes more than two years after Anthem announced hackers had gained access to its IT system. They stole the names, birthdates, Social Security numbers, addresses, and other information of tens of millions of people.
“As we have seen in cyberattacks against governments and private sector companies including Anthem over the past few years, many cyberthreat actors are increasingly sophisticated and determined adversaries,” the company wrote in a statement. “Anthem is determined to do its part to prevent future attacks.”
The settlement must be approved by a U.S. District Court in California.
Article source: http://www.modernhealthcare.com/article/20170623/NEWS/170629931
Ponemon Institute Study on Costs of Data Breaches Highlights Improvement and New Risks for US and Global …
JD Supra provides users with access to its legal industry publishing services (the “Service”) through its website (the “Website”) as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement (“Policy”). By using the Service, you signify your acceptance of this Policy.
Information Collection and Use by JD Supra
JD Supra collects users’ names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.
The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user’s experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.
JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.
If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.
Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the “opt-out of future email” option in the email they receive from JD Supra or in their JD Supra account management screen.
JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.
If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at [email protected] In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.
Sharing and Disclosure of Information JD Supra Collects
Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms Conditions of Use.
In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.
Links to Other Websites
This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.
Contacting JD Supra
If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: [email protected]
Law360, New York (June 29, 2017, 9:04 PM EDT) — A California federal judge on Wednesday tossed a proposed class action against Starwood Hotels alleging the hotelier did not timely report a data breach of customer information, saying that the customer who sued did not respond adequately to a request for more information.
U.S. District Judge Gonzalo P. Curiel dismissed without prejudice lead plaintiff Paul Dugas’ second amended complaint against Starwood Hotels Resorts Worldwide Inc., ruling that the San Diego resident failed to respond to three deficiencies in his pleading and address the court’s concerns…
PORTSMOUTH — A data breach of local medical provider Atlantic Digestive Specialists “may alter the security of personal information” for 94,195 New Hampshire residents, according to a notice the company sent to the New Hampshire attorney general’s office.
Atlantic Digestive Specialists (ADS) said it has not found evidence that anyone’s personal information was compromised but did determine on Feb. 20 that “some of its systems were infected by ransomware.” The medical company reported to the attorney general’s office that it fixed the problem within two days, then on April 21, sent notifications to its customers.
ADS is a group of gastroenterologists with offices in Somersworth, Hampton and Portsmouth.
Senior Assistant Attorney James Boffetti, who heads the consumer protection bureau, said the fact customers were notified two months after the problem was discovered is not unreasonable and, unfortunately, the data breach is not uncommon.
“We get notified about so many of these things it’s frightening,” Boffetti said. “I bet we get 10 a week on average.”
Based in Somersworth, ADS reported to the attorney general’s office that its investigation remains ongoing and it’s working with a third-party forensic investigator to “determine the full nature and scope of this incident. “
“To date, ADS has no evidence of any actual or attempted misuse of information as a result of this incident,” it reported to the attorney general’s office.
In response to a request for an interview, ADS practice administrator David Hutton said, “The letter itself has a great amount of detail and we are going to let it speak for itself.”
“We have also posted a notice on our website and do not have any additional comment at this time, except to say that we have notified our patients and offered one year of credit monitoring out of an abundance of caution,” he said. “We have no evidence at this time that any patient information was extracted from our system.”
ADS is offering a year of credit monitoring for its customers through Equifax. Boffetti said all consumers, not just ADS customers, are entitled to one free credit report a year, including from Equifax and he recommends they take advantage of it. He said it’s a way to ensure there’s no suspicious activity on credit reports and if any fraud is found, an alert can be triggered.
“I tell people to do a couple of checks a year,” Boffetti said. “And I tell them to check your bank statements. It’s amazing to me how many people do not.”
Parliament has summoned three ministers over measures being taken to protect sensitive state data.
The Ministers for Communications, Interior and National Security would be required to provide a joint briefing to Parliament on the coordination of their activities to protect data.
The directive follows concerns raised by MPs on the laxity in Ghana’s laws on the protection of data after the Data Protection Commission recently indicted some private and state institutions over breaches in data protection.
The First Deputy Speaker, Joseph Osei Owusu, issued the directive on the back of a statement from MP for Juaben, Ama Pomaa Boateng.
Steps they are taking to protect Data in view of the happening around the globe.
“In the circumstances, I direct that the Ministers of National Security, Interior and Communication come to brief the House and the committee to assure members that data collected from us and indeed from national state institutions are well protected,” he said.
By: Duke Mensah Opoku/citifmonline.com/Ghana
June 29, 2017 – In April, Saint Thomas Health discovered a potential health data breach involving patient information at its facility in Murfreesboro, Tennessee.
The breach potentially impacted 2,859 Saint Thomas patients, the organization said in an online statement.
Hospital documents belonging to Saint Thomas Rutherford Hospital were found along a remote, rural road in DeKalb County.
The misplaced documents contained information including patient names, dates of birth, admitting diagnoses, account numbers, and physician name.
However, an investigation into the incident revealed the documents did not contain any patient Social Security numbers or patient medical records.
The reports contained a small sample of patient census logs taken throughout 2009 and 2010.
Presently, investigators have not revealed the identity or identities of individuals responsible for the incident.
“Protecting the privacy of our patient’s information is always a top priority for us at Saint Thomas Health and Ascension,” said Corporate Responsibility Officer and Corporate Privacy Officer of Saint Thomas Health Cynthia Figaro. “Once we were made aware of this breach, we immediately investigated the incident to ensure that no further disclosures were made. Based on our investigation, we do not believe that there is a financial risk to our patients. We sincerely apologize for this incident.”
Saint Thomas has notified potentially impacted patients and hired a vendor to ensure all storage files are secure and accounted for before being destroyed.
The health system has also set up a call center to answer any questions concerned patients may have regarding the safety of their information.
Potential ransomware infection hits Cleveland medical center, encrypts PHI
On April 21, 2017, Cleveland Medical Associates found that its computer network had potentially been infected by ransomware the previous night.
While information on the computer had been encrypted and locked, Cleveland Medical said in a statement posted to its website that no evidence exists to suggest patient data has been compromised.
Additionally, the ransomware infection has not impacted the medical center’s ability to care for its patients.
In response to the incident, Cleveland Medical implemented a new medical records system and analyzed its security procedures in an effort to avoid similar incidents in the future. The medical center also hired a forensic investigation firm to determine which patient information was potentially impacted by the event.
According to Cleveland Medical, there is no evidence to suggest any patient’s PHI has been stolen or misused.
However, the investigation did not determine whether any individuals had gained unauthorized access to any patient PHI.
Information contained on the affected server included demographic information such as patient names, addresses, telephone numbers, email addresses, and Social Security numbers. Additionally, clinical information such as medical records, and other data such as insurance billing information were contained on the affected server.
Cleveland Medical notified potentially impacted patients of the incident and is providing concerned patients with free identity protection services for one year.
The medical center has not revealed how many patients were impacted by the breach.
Experian Health security breach potentially impacts Southern Illinois Healthcare
Two of Experian Health’s electronic platforms recently experienced an error resulting in the delivery of certain Southern Illinois Healthcare (SIH) patient information to incorrect medical facilities.
Experian Health notified SIH of the potential breach on April 28, 2017, SIH said in its data breach notification letter.
According to Experian Health, the breach likely occurred between February 13 and March 13, 2017 during a server migration project as a result of an isolated error.
Misdirected data included dates of birth, gender, addresses, Medicare ID/HIC numbers, insurance information, and Medicaid case numbers.
Experian Health stated the information would have only been viewed or saved by another covered entity governed by HIPAA and subject to the same privacy requirements as SIH, and not the general public.
Upon discovering the error, Experian Health identified the cause of the error and corrected the problem.
SIH also conducted its own investigation into the incident and verified that Experian Health has fixed the error.
The health system has offered free identity protection services for two years to all SIH patients that may have been affected.
Additionally, SIH set up a call center to answer any additional questions potentially impacted patients may have regarding the incident.
Aetna inadvertently exposes patient information of Ohio, Texas residents
The patient information of 1,708 Ohio residents with Aetna insurance was recently exposed online for a period of time.
“The information available online generally included first name, last name, Aetna member identification number, provider information, claim payment amount, and in some cases procedure/service codes and dates of service,” said Aetna in a statement in Metro News.
The insurance provider said in May that the potential breach occurred as a result of two computer services displaying documents and intended recipients.
To resolve the issue, Aetna blocked search engines from displaying any information contained in the documents.
Aetna stated it is notifying patients of the incident and setting up a toll-free call center to answer any questions concerned patients may have.
Aetna added there currently exists no evidence suggesting any patient information was misused in any way.
Additionally, no patient Social Security numbers were exposed in the breach.
A similar incident also potentially impacted the information of 522 Texas residents receiving health insurance through Aetna, according to a Statesman report.
As with the breach in Ohio, this incident also involved patient names, Aetna member identification numbers, provider information, claim payment amounts, and sometimes service codes and dates of service.