Cyber Liability, a GDPR Violation First, HackenProof Discovers Chinese exposures
TLP White: In this edition of Hacking Healthcare, we begin by discussing a cyber liability insurer’s invocation of a not-so-obscure contractual exclusion to attempt to avoid paying out on an insured’s claim. Then, we turn to an alleged General Data Protection Regulation (“GDPR”) violation that resulted in the first ever GDPR fine imposed by a Portuguese data authority on a hospital system. Finally, we discuss a recent discovery made by a bug bounty and vulnerability researcher conglomerate which revealed that the resumes and personal data of over 200 million Chinese citizens had been exposed online.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Cyber Liability Insurer Cites “Warlike Action” Exclusion in Effort to Escape Payout.
Mondelez, a large food corporation that owns major brands such as Ritz and Nabisco, has brought a $100 million dollar lawsuit against its cyber liability insurer, Zurich Insurance Group (“Zurich”), for refusing to pay out on a claim related to the NotPetya ransomware attacks.[1] The NotPetya attacks struck Mondelez and other global companies in 2017 and posed a unique and formidable threat due to their ability to corrupt data during the ransomware process.[2] Mondelez has claimed that thousands of its servers and laptops were infected by NotPetya, and other losses resulted due to infiltrated user credentials and unfulfilled customer orders that ensued in the fall out of the attacks.[3]
Zurich’s basis for refusing to honor Mondelez’ claim is that the insurance policy covered “physical loss or damage to electronic data, programs, or software,” but it exempted cyber-attacks that spread as “hostile or warlike action in time of peace or war.”[4] In early 2018, the United States, United Kingdom, Canada, Australia, and New Zealand formally blamed Russia for the NotPetya attacks in what was later revealed to be a coordinated diplomatic action.[5] This and a number of other public statements by world governments appear to be the crux of Zurich’s argument for refusing to pay out on Mondelez’ claim. Mondelez will argue that it is a non-military target that operated far from the location of any warfare, the accrued damage did not result in loss of life or injury, and the attacks did not constitute a military action intended for “coercion or conquest,” which are the subjects the war exclusion was allegedly intended to address.[6]
2. GDPR Fine Issued Against Portugal-Based Hospital.
A Portuguese data protection authority, the Comissão Nacional de Protecção de Dados (“CNDP”), recently fined a Portuguese hospital €400,000 for failing to abide by the GDPR’s terms. Specifically, the CNDP has claimed that Centro Hospitalar Barreiro Montijo failed to: (1) implement appropriate technical and organizational safeguards to guard patient data; (2) minimize data in order to limit access to sensitive health information; and (3) ensure the confidentiality, integrity, and availability of medical systems and services.[7] The hospital intends to challenge the charge, arguing in part that the CNDP has not yet been formally given the authority to enforce the GDPR and that the IT system at the center of the CNDP’s claims was provided to the hospital by the Portuguese government itself.[8]
On top of the fact that this is the first ever GDPR fine levied on a Portuguese hospital and the first ever GDPR fine doled out by the CNDP, the fine was the result of a newspaper exposé instead of a formal complaint submitted to the CNDP.[9] Whether the fine and the CNDP’s reasoning can withstand the hospital’s challenge is yet to be seen. However, this action shows that European data protection authorities are not timid when it comes to enforcing the GDPR, and data protection authorities in general are aware of the importance of robust and organized GDPR compliance plans.
3. 200 Million Chinese Citizens’ Resumes (and Personal Information) Exposed Online.
White hat hackers from the bug bounty and research firm HackenProof discovered over 200 million Chinese citizens’ resumes had been exposed online.[10] Detailed information such as individuals’ names, phone numbers, email addresses, educational histories, political affiliations, and other personal details were made openly available via a MongoDB database cloud server on the Internet.[11] Researchers believe that the data trove was compiled by a third party who “scraped” a number of Chinese job search sites to assemble the job-seekers’ personal information.[12]
Sensitive and personal information can oftentimes become available through avenues that would not be immediately obvious. In this case, sensitive information was collected from a number of online job portals where unsuspecting people willfully submitted resumes containing personal data. This occurrence stresses the reality that data classification and management efforts are exceedingly important in the current climate. Companies need to carefully consider and have a plan for all potential threats in order to most effectively work to avoid damaging breaches of personal information.
Congress –
Tuesday, January 15:
–No relevant hearings.
Wednesday, January 16:
–No relevant hearings.
Thursday, January 17:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
<https://nhisac.org/events/nhisac-events/first-symposium-2019/>
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19 – 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019 – 4/16/2019)
<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–HEALTH IT Summit (Florida) – Wesley Chapel (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
Sundries –
—CARRIERS SWORE THEY’D STOP SELLING LOCATION DATA. WILL THEY EVER?
<https://www.wired.com/story/carriers-sell-location-data-third-parties-privacy/>
—A YUBIKEY FOR IOS WILL SOON FREE YOUR IPHONE FROM PASSWORDS
<https://www.wired.com/story/yubikey-lightning-ios-authentication-passwords/>
—HOW HEALTH CARE DATA AND LAX RULES HELP CHINA PROSPER IN AI
<https://www.wired.com/story/health-care-data-lax-rules-help-china-prosper-ai/>
—Kaspersky blew whistle on NSA hacking tool hoarder
<https://arstechnica.com/tech-policy/2019/01/kaspersky-blew-whistle-on-nsa-hacking-tool-hoarder/>
—Hot new trading site leaked oodles of user data, including login tokens <https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/>
—Tim Cook points at new services and health-tech propelling Apple’s future <https://arstechnica.com/gadgets/2019/01/tim-cook-points-at-new-services-and-health-tech-propelling-apples-future/>
—Hyatt Launches Public Bug Bounty Program on HackerOne <https://www.bleepingcomputer.com/news/security/hyatt-launches-public-bug-bounty-program-on-hackerone/>
—CryptoMix Ransomware Exploits Sick Children to Coerce Payments <https://www.bleepingcomputer.com/news/security/cryptomix-ransomware-exploits-sick-children-to-coerce-payments/>
—Americans resigned to cyberattacks on infrastructure, elections, survey finds <https://www.cyberscoop.com/americans-resigned-to-cyberattacks-on-infrastructure-elections-survey-finds/>
—Security Concerns Limit Remote Work Opportunities
—NCSC Launches Nation-State Cyber Threat Protection Program for Businesses <https://www.darkreading.com/vulnerabilities—threats/ncsc-launches-nation-state-cyber-threat-protection-program-for-businesses/d/d-id/1333615?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple>
Contact us: follow @HealthISAC, and email at
[1] https://www.darkreading.com/attacks-breaches/notpetya-victim-mondelez-sues-zurich-insurance-for-$100-million/d/d-id/1333640
[2] https://www.cnn.com/2019/01/11/business/cyber-attacks-insurance/index.html
[3] https://www.zdnet.com/article/notpetya-an-act-of-war-cyber-insurance-firm-taken-to-task-for-refusing-to-pay-out/
[4] https://www.infosecurity-magazine.com/news/zurich-refuses-to-pay-out-for/
[5] https://www.infosecurity-magazine.com/news/five-eyes-united-blaming-russia/
[6] https://www.bloomberg.com/opinion/articles/2019-01-11/mondelez-lawsuit-shows-the-dangers-of-attributing-cyberattacks
[7] https://www.hipaajournal.com/first-hospital-gdpr-violation-penalty-issued-portuguese-hospital-to-pay-e400000-gdpr-fine/
[8] https://iapp.org/news/a/first-gdpr-fine-in-portugal-issued-against-hospital-for-three-violations/
[9] https://www.hipaaguide.net/portuguese-hospital-the-first-to-pay-e400000-as-gdpr-violation-fine/; https://iapp.org/news/a/first-gdpr-fine-in-portugal-issued-against-hospital-for-three-violations/
[10] https://techcrunch.com/2019/01/11/202-million-job-seekers-personal-data-exposed/
[11] https://www.zdnet.com/article/cvs-containing-sensitive-info-of-over-202-million-chinese-users-left-exposed-online/
[12] https://www.bbc.com/news/technology-46864584