Cybersecurity and Data Privacy in the USA: January 1 – 7, 2024

Welcome to this week’s round-up of the biggest and most interesting news stories in the US.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

LockBit claims responsibility for Capital Health security incident

The LockBit ransomware group has claimed responsibility for an attack on Capital Health, a health care provider in Pennington, New Jersey, last November. The group has allegedly exfiltrated more than 10 million files. Capital Health operates two hospitals in the New Jersey-Pennsylvania region: Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell.

Data breached: >10 million records.

HealthEC LLC breached, almost 4.5 million individuals affected

HealthEC LLC, a health technology company, has announced that it suffered a data breach in July 2023, in which systems were accessed and files were copied. Information relating to nearly 4.5 million people was compromised, including names, addresses, dates of birth, Social Security numbers, taxpayer identification numbers, medical information, health insurance information, and billing and claims information.

Data breached: 4,452,782 records.

National Automobile Dealers Association allegedly breached – more than 1 million lines stolen

IntelBroker has listed 7 databases belonging to the National Automobile Dealers Association on a dark web forum. The compromised databases contain 300,000 lines of customer phones; 58,000 lines of customer payments; 81,000 lines of customer invoices; 108,000 lines of customer emails; and 518,000 lines of customer cards.

Data breached: 1,065,000 lines.


Publicly disclosed data breaches and cyber attacks: full list

This week, we’ve found 21,466,130 records known to be compromised, and 55 organizations suffering a newly disclosed incident. 52 of them are known to have had data exfiltrated, exposed, or otherwise breached. None definitely haven’t had data breached.

We’ve also found 7 organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known records breached
Capital Health
Source 1; source 2
(Update)
Health careYes>10,000,000
HealthEC
Source 1; source 2
(Update)
SoftwareYes4,452,782
National Automobile Dealers Association
Source
(New)
RetailYes1,065,000
The Teaching Company (Wondrium by The Great Courses)
Source
(New)
EducationYes1.3 TB
Halara Cannabis
Source
(New)
ManufacturingYes>1,000,000
Bradford Health Services
Source
(New)
Health careYes626,837
Electrostim Medical Services, Inc.
Source 1; source 2
(New)
ManufacturingYes542,990
North Kansas City Hospital
Source 1; source 2
(New)
Health careYes502,438
Gunning & LaFazia, Inc.
Source
(New)
LegalYes310,297
Leonard’s Express
Source
(New)
TransportYes182 GB
Edmonds School District
Source
(New)
EducationYes145,844
NALS Apartment Homes
Source
(New)
Real estateYes145 GB
GeoLogics Corporation
Source
(New)
IT servicesYes122.89 GB
Meridian Behavioral Healthcare, Inc.
Source 1; source 2; source 3; source 4
(Update)
Health careYes98,808
ConsensioHealth, LLC
Source
(New)
Health careYes60,871
Network180
Source 1; source 2; source 3
(New)
Health careYes59,334
UKG Inc. and New York City Health and Hospitals
Source
(New)
SoftwareYes45,966
Southeastern Orthopaedic Specialists
Source 1; source 2
(New)
Health careYes35,533
Diablo Valley Oncology & Hematology Medical Group
Source
(New)
Health careYes>30 GB
Project M.O.R.E., Inc.
Source
(New)
Non-profitYes26,390
Housing Authority of the County of San Bernardino
Source
(New)
PublicYes18,689
Kershaw County School District
Source
(New)
EducationYes17.5 GB
Fincantieri Marine Group, LLC
Source
(New)
ManufacturingYes16,769
Buckley King LPA
Source
(New)
LegalYes15,282
Quaker Windows & Doors
Source 1; source 2
(Update)
RetailYes10,988
Senior Scripts
Source 1; source 2
(New)
Health careYes10,566
The Foleck Center
Source 1; source 2
(New)
Health careYes6,965
Healix Infusion Therapy, LLC
Source 1; source 2; source 3
(Update)
Health careYes6,026
Lone Peak Physical Therapy
Source 1; source 2
(New)
Health careYes5,809
Humana
Source 1; source 2
(New)
InsuranceYes2,844
Woodsville Guaranty Savings Bank
Source
(New)
FinanceYes2,483
LACERA and State Street
Source
(New)
Public and financeYes2,400
Molina Healthcare of Ohio, Inc.
Source 1; source 2
(New)
Health careYes1,977
Eyefinity
Source 1; source 2
(New)
SoftwareYes1,353
Los Angeles County Department of Mental Health
Source 1; source 2
(New)
PublicYes1,284
Elevate ENT Partners
Source
(New)
Health careYes1,053
The Middlefield Banking Company
Source 1; source 2
(Update)
FinanceYes1,025
Amerigroup Iowa, Inc.
Source
(New)
Health careYes1,023
First Choice Dental
Source 1; source 2
(New)
Health careYes1,000
Qorvo, Inc.
Source 1; source 2
(Update)
ManufacturingYes735
Osteopathic Healing Hands
Source
(New)
Health careYes707
Marathon Coach, Inc.
Source
(New)
ManufacturingYes704
Rally Credit Union
Source 1; source 2
(Update)
FinanceYes677
ACME Architectural Hardware
Source
(New)
Professional servicesYes288
Standard Laboratories
Source
(New)
EnvironmentalYesUnknown
RKL LLP
Source 1; source 2
(New)
FinanceYesUnknown
CompleteCare Health Network
Source
(New)
Health careYesUnknown
Cooper Aerobics
Source
(New)
Health careYesUnknown
Essen Health Care
Source
(New)
Health careYesUnknown
Highland Oncology Group
Source
(New)
Health careYesUnknown
Navvis & Company and SSM Health
Source 1; source 2
(New)
Health careYesUnknown
Hartwell
Source 1; source 2
(New)
InsuranceYesUnknown
Neste US
Source
(New)
ManufacturingYesUnknown
The Switch
Source 1; source 2
(New)
MediaYesUnknown
Gallery Systems, Museum of Fine Arts Boston, Rubin Museum of Art, and Crystal Bridges Museum of American Art
Source 1; source 2
(New)
Software and non-profitYesUnknown
Mandiant
Source 1; source 2; source 3
(New)
CybersecurityUnknownUnknown
loanDepot
Source
(New)
FinanceUnknownUnknown
City of Beckley, West Virginia
Source
(New)
PublicUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.


AI

FTC accepting submissions for Voice Cloning Challenge

The US Federal Trade Commission has begun accepting submissions for its Voice Cloning Challenge, which aims to develop ideas to mitigate the risk of AI-enabled voice cloning for fraud. The FTC will accept submissions until January 12.

NIST identifies “adversarial machine learning” threats

New guidance from NIST offers approaches to mitigate AI malfunctions caused by exposure to untrustworthy data. The publication, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2 E2023), is part of NIST’s broader effort to support the development of trustworthy AI.


Enforcement

19 people charged after cyber crime investigation into xDedic Marketplace

An investigation into the xDedic Marketplace, a website on the dark web that illegally sold login credentials and personal data to criminals until it was shut down by the US Attorney’s Office in 2019, has resulted in 19 people being charged.

Man charged for alleged business email compromise scheme

Olusegun Samson Adejorin of Nigeria has been charged with wire fraud, aggravated identity theft, and unauthorized access to a protected computer in relation to a $7.5 million scheme to defraud two charitable organizations by impersonating employees and accessing their email accounts.

BreachForums admin violates parole requirements by using VPN

Conor Brian Fitzpatrick, aka Pompompurin, the former admin of the now-defunct BreachForums website, which cyber criminals used to exchange stolen data, has violated his parole by using a computer and VPN (virtual private network) without enabling the court-prescribed monitoring software. Fitzpatrick was arrested in March 2023.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.