Cybersecurity and Data Privacy in the USA: April 1 – 7, 2024

28,133,417 known records breached in 75 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

U.S. Environmental Protection Agency allegedly breached: nearly 8.5 million accounts compromised

A threat actor known as ‘USDoD’ claims to have exfiltrated a large database from the U.S. EPA (Environmental Protection Agency).

According to a listing on the black-hat hacking site BreachForums, USDoD has released the EPA’s entire contact list, comprising the names, addresses, phone numbers, email addresses, and other information relating to customers and contractors.

HackRead reports that once duplicate records are removed, the number of exposed accounts totals 8,460,182.

Data breached: 8,460,182 accounts.

EyeCare Services Partners exposes more 3.5 million patients’ data via unsecured database

According to DataBreaches.net, EyeCare Services Partners – a group of eye care providers based in Dallas, Texas – left 50 TB of data exposed via an unsecured blob.

The biggest database in the blob contained 3.1 million patients and 1.6 million unique Social Security numbers. Other databases contained health insurance data, such as patents’ names, dates of birth, addresses, and medical data.

The total number of affected patients is yet to be determined, but is likely to be more than 3.5 million.

Data breached: at least 3.5 million people’s data.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 28,133,417 records known to be compromised in the USA, and 75 U.S. organizations suffering a newly disclosed incident. 70 of them are known to have had data exfiltrated, exposed, or otherwise breached. None definitely haven’t had data breached.

We also found 12 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
DataBank
Source
(New)
IT servicesYes10,633,996
US Environmental Protection Agency (EPA)
Source
(New)
PublicYes8,460,182
EyeCare Services Partners (ESP)
Source
(New)
Health careYes>3,500,000
Keenan & Associates
Source 1; source 2
(Update)
InsuranceYes1,573,844
Aero Dynamic Machining, Inc.
Source
(New)
ManufacturingYes1.1 TB
City of Hope
Source 1; source 2
(Update)
Health careYes827,149
BeneCare Dental Plans
Source
(New)
InsuranceYes554,752
Citi Trends
Source
(New)
RetailYes442,754
Interface
Source
(New)
ManufacturingYes382,084
Greylock McKinnon Associates, Inc.
Source 1; source 2
(Update)
LegalYes341,650
Otolaryngology Associates, P.C.
Source
(New)
Health careYes316,802
Regency Furniture
Source
(New)
ManufacturingYes300 GB
M&D Capital Premier Billing
Source 1; source 2
(New)
FinanceYes284,326
On Q Financial, LLC
Source
(New)
FinanceYes211,650
McAlvain Companies, Inc
Source
(New)
ConstructionYes175 GB
Pacific Guardian Life
Source
(New)
InsuranceYes167,103
Designed Receivable Solutions, Inc.
Source 1; source 2
(New)
FinanceYes129,584
Aveanna Healthcare
Source 1; source 2; source 3
(Update)
Health careYes65,482
American Renal Associates
Source 1; source 2
(Update)
Health careYes>37,700
Family Health Center
Source 1; source 2; source 3
(Update)
Health careYes33,240
York County School of Technology
Source
(New)
EducationYes30,914
Best Transportation LLC
Source
(New)
TransportYes24 GB
Pembina County Memorial Hospital
Source 1; source 2; source 3
(Update)
Health careYes23,811
Bene-Marc
Source
(New)
InsuranceYes17,000
Ethos
Source 1; source 2; source 3
(Update)
Non-profitYes14,503
May Institute
Source
(New)
Non-profitYes12,619
The Home Depot
Source 1; source 2
(New)
RetailYes10,000
Clackamas Community College
Source 1; source 2
(Update)
EducationYes8,797
Tri-City Medical Center
Source 1; source 2
(Update)
Health careYes7,847
HALO Branded Solutions
Source
(New)
Professional servicesYes7,305
Ace Hardware Corporation
Source 1; source 2; source 3
(Update)
RetailYes7,295
Detroit Symphony Orchestra
Source
(New)
LeisureYes6,778
Robert Peterson DD.S. PC
Source 1; source 2
(New)
Health careYes6,500
Campbell Killin Brittan & Ray, LLC
Source
(New)
LegalYes4,448
Northern Virginia Oral Surgery Centers
Source 1; source 2
(New)
Health careYes4,333
RxBenefits, Inc.
Source 1; source 2
(New)
ManufacturingYes3,396
Mary H. Makhlouf, DMD, MS, PA
Source 1; source 2
(New)
Health careYes1,797
American Farmland Trust
Source
(New)
Non-profitYes1,503
George & George
Source
(New)
LegalYes1,455
County of Los Angeles Department of Mental Health
Source 1; source 2
(New)
PublicYes1,408
Skender
Source
(New)
ConstructionYes1,067
Continental Bank
Source
(New)
FinanceYes1,045
City of Conneaut
Source 1; source 2
(New)
PublicYes771
Bonney Forge
Source 1; source 2
(New)
EnergyYes672
Human Development Services of Westchester, Inc.
Source 1; source 2
(New)
Non-profitYes506
Andor Labs
Source 1; source 2
(New)
Health careYes500
Tri Delta
Source
(New)
Non-profitYes448
Platt Builders Inc.
Source
(New)
ConstructionYes248
Wysocki Family of Companies
Source
(New)
AgriculturalYes136
Ohio Mutual Insurance Group
Source
(New)
InsuranceYes1
Axiom Construction & Consulting
Source 1; source 2
(New)
ConstructionYesUnknown
Blueline Associates, Inc.
Source
(New)
ConstructionYesUnknown
Grote Enterprises, LLC
Source 1; source 2
(New)
ConstructionYesUnknown
Benefit Management, Inc.
Source 1; source 2
(New)
FinanceYesUnknown
SouthState Bank
Source
(New)
FinanceYesUnknown
Advanced Care Hospital of Southern New Mexico
Source 1; source 2
(New)
Health careYesUnknown
Denver Regional Rehabilitation Hospital
Source 1; source 2
(New)
Health careYesUnknown
Ernest Health
Source 1; source 2
(Update)
Health careYesUnknown
Greenwood Regional Rehabilitation Hospital
Source 1; source 2
(New)
Health careYesUnknown
Kootenai Health
Source
(New)
Health careYesUnknown
Lafayette Regional Rehabilitation Hospital
Source 1; source 2
(New)
Health careYesUnknown
Midlands Regional Rehabilitation Hospital
Source 1; source 2
(New)
Health careYesUnknown
Mountain Valley Regional Rehabilitation Hospital
Source 1; source 2
(New)
Health careYesUnknown
Norman Urology Associates P C
Source
(New)
Health careYesUnknown
NorthBay Health
Source
(New)
Health careYesUnknown
Northern Colorado Rehabilitation Hospital
Source 1; source 2
(New)
Health careYesUnknown
Northern Utah Rehabilitation Hospital
Source 1; source 2
(New)
Health careYesUnknown
Rehabilitation Hospital of the Northwest
Source 1; source 2
(New)
Health careYesUnknown
Rehabilitation Hospital of Southern California
Source 1; source 2
(New)
Health careYesUnknown
Rehabilitation Hospital of Southern New Mexico
Source 1; source 2
(New)
Health careYesUnknown
Sisu Healthcare Solutions
Source
(New)
Health careYesUnknown
Spartanburg Rehabilitation Institute
Source 1; source 2
(New)
Health careYesUnknown
Summa Rehab Hospital
Source 1; source 2
(New)
Health careYesUnknown
West Idaho Orthopedics
Source
(New)
Health careYesUnknown
Omni Hotels & Resorts
Source
(New)
HospitalityYesUnknown
Panera Bread
Source
(New)
HospitalityYesUnknown
Roberson & Sons Insurance Services
Source
(New)
InsuranceYesUnknown
Acuity, Inc.
Source
(New)
IT servicesYesUnknown
Xenwerx Initiatives, LLC
Source
(New)
IT servicesYesUnknown
The Wacks Law Group, LLC
Source
(New)
LegalYesUnknown
East Baton Rouge Sheriff’s Office
Source
(New)
PublicYesUnknown
W.P.J. McCarthy & Company
Source
(New)
Real estateYesUnknown
NYCAPS/ESS (New York City Automated Personnel System, Employee Self Service)
Source
(New)
IT servicesUnknownUnknown
Florida Department of Juvenile Justice
Source
(New)
PublicUnknownUnknown
Hernando County Government
Source
(New)
PublicUnknownUnknown
Jackson County, Missouri
Source
(New)
PublicUnknownUnknown
NYC Office of the Mayor
Source
(New)
PublicUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

U.S. and UK announce AI safety partnership

Following commitments they made at last November’s AI Safety Summit, the U.S. and the UK have signed a memorandum of understanding that will see them work to align their scientific approaches to develop tests to evaluate AI models, systems, and agents.

Rise in criminal campaigns using AI

Bitdefender Labs reports that, over the past year, it’s seen an increase in “AI-powered illicit operations conducted by threat actors over social media, from stream-jacking attacks that delivered crypto-doubling schemes on YouTube to audio deep fakes that overflow on Meta’s social platforms.”


Enforcement

Google agrees to delete billions of records and reduce incognito user tracking

Google has agreed to settle a 2020 class action lawsuit accusing it of invading people’s privacy by collecting user data even in incognito mode.

Google’s spokesman Jorge Castaneda said: “We are pleased to settle this lawsuit, which we always believed was meritless. We are happy to delete old technical data that was never associated with an individual and was never used for any form of personalization.”

ENISA publishes Cyber Resilience Act Requirements Standards Mapping

The EU agency for cybersecurity, ENISA, has published a new study identifying the existing cybersecurity standards that are most relevant to each requirement of the EU Cyber Resilience Act and highlights possible gaps to be addressed.


Other news

New Google features to improve security           

Google has announced a new feature for the Chrome browser called Device Bound Session Credentials, which associates cookies with specific devices, preventing criminal hackers from using them to access victims’ accounts by bypassing multifactor authentication.

It’s also started automatically blocking bulk emails to help prevent spam and phishing campaigns.


Recently published reports


Key dates

April 30, 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by April 30. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.

June 3, 2024 – Deadline for public comment on the CIRCIA

CISA (Cybersecurity and Infrastructure Security Agency) has developed an NPRM (Notice of Proposed Rulemaking), under powers granted to it by the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022). The NPRM was published on April 4 in the Federal Register, and is open for public comment until June 3.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help