Cybersecurity and Data Privacy in the USA: March 25 – 31, 2024

26,385,614 known records breached in 54 newly disclosed incidents

Welcome to this week’s round-up of the biggest and most interesting news stories in the USA.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.


Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 19 million users’ data breached in info stealer malware campaign

What is apparently the “largest infostealer malware campaign targeting gamers/cheaters in history” has affected millions of gamers, including around 14,000,000 Discord users and 3,662,647 Battle.net (from Blizzard Entertainment) users.

Other affected domains include Activision, elitepvpers, UnKnoWnCheaTs, Phantom Overlap, ACDiamond, ArtificialAiming, two EngineOwning domains, iNIUARIA Cheats, and GameSense.

Note that some of these domains aren’t USA-based, which we’ve accounted for in our figures above the table. Also, although most affected domains are cheating forums, the malware itself wasn’t in cheat software.

Data breached: 19,126,976 users’ data (18,223,830 in the USA).

Change Healthcare acknowledges data stolen in February’s cyber attack

Change Healthcare (of UnitedHealth Group) confirmed a cyber attack in February. It’s now publicly acknowledged that data was stolen during that attack, and is now analyzing the types of data – including personal, financial, and health information – compromised.

The ransomware group ALPHV/BlackCat claimed to have exfiltrated 6 TB of data from Change Healthcare. If true, this is a relatively small amount in the context of the organization apparently processing 15 billion transactions annually.

Data breached: 6 TB.


Publicly disclosed data breaches and cyber attacks in the USA: full list

This week, we found 26,385,614 records known to be compromised in the USA, and 54 U.S. organizations suffering a newly disclosed incident. 51 of them are known to have had data exfiltrated, exposed, or otherwise breached. None definitely haven’t had data breached.

We also found 11 U.S. organizations providing a significant update on a previously disclosed incident.

Organization(s)SectorData breached?Known data breached
Discord
Source 1; source 2
(New)
SoftwareYes14,000,000
Change Healthcare
Source 1; source 2
(Update)
Health careYes6 TB
Battle.net (Blizzard Entertainment)
Source
(New)
LeisureYes3,662,647
Harvard Pilgrim Health Care
Source 1; source 2
(Update)
Health careYes2,860,795
Qosina
Source
(New)
ManufacturingYes638 GB
EMSA (Emergency Medical Services Authority)
Source 1; source 2; source 3
(Update)
Health careYes611,743
Activision
Source
(New)
LeisureYes561,183
Chattanooga Heart Institute
Source 1; source 2
(Update)
Health careYes547,434
Houser LLP
Source 1; source 2
(Update)
LegalYes364,312
FICO
Source
(New)
SoftwareYes170,000
Select Education Group, LLC
Source
(New)
EducationYes>67,000
Contender Boats, Inc
Source
(New)
ManufacturingYes65 GB
Bayer Heritage Federal Credit Union
Source 1; source 2
(Update)
FinanceYes61,165
Ezras Choilim Health Center
Source 1; source 2
(New)
Health careYes59,861
Prudential Insurance Company of America
Source
(New)
InsuranceYes36,545
Pembina County Memorial Hospital
Source
(New)
Health careYes23,451
Ethos
Source
(New)
Non-profitYes13,418
Pomona Valley Hospital Medical Center
Source 1; source 2
(New)
Health careYes13,345
Rancho Medical Family Group
Source 1; source 2; source 3
(Update)
Health careYes10,480
Gunster Yoakley and Stewart PA
Source 1; source 2
(New)
LegalYes9,550
Wyndemere Senior Living
Source
(New)
Health careYes6,846
Donald W. Wyatt Detention Facility
Source 1; source 2
(Update)
PublicYes5,760
Northern Virginia Oral, Maxillofacial & Implant Surgery
Source
(New)
Health careYes5,568
Sanford, Pierson, Thone & Strean, PLC
Source
(New)
LegalYes3,100
Battle Mountain General Hospital
Source 1; source 2
(New)
Health careYes3,000
Western New York Independent Living
Source 1; source 2
(New)
Health careYes2,886
Barings (via Infosys McCamish Systems)
Source
(New)
FinanceYes2,671
Kids Care Dental & Orthodontics
Source 1; source 2; source 3
(Update)
Health careYes2,260
BodyHealth, LLC
Source
(New)
Health careYes2,222
Sierra Lobo, Inc.
Source
(New)
ManufacturingYes1,991
GH America
Source
(New)
Non-profitYes1,802
Reyes Automotive Group
Source 1; source 2
(New)
ManufacturingYes1,660
Bronson Healthcare
Source 1; source 2
(New)
Health careYes1,597
Permian Resources
Source 1; source 2
(New)
EnergyYes1,351
Cherry Health
Source 1; source 2
(New)
Health careYes500
Cornerstone Healthcare Group Management Services LLC
Source 1; source 2
(New)
Health careYes500
Southwest Binding & Laminating
Source 1; source 2
(Update)
Professional servicesYes341
Southern Nevada Health District
Source
(New)
PublicYes300
Saco River Medical Group, PC
Source
(New)
Health careYes64
July Business Services
Source
(New)
FinanceYes59
Coeur d’Alene, City of
Source
(New)
PublicYes57
Delta Pipeline, Inc.
Source 1; source 2
(New)
ConstructionYesUnknown
OWASP® Foundation
Source
(New)
CybersecurityYesUnknown
Baylor College of Medicine
Source
(New)
EducationYesUnknown
Burnham Wood Charter Schools
Source
(New)
EducationYesUnknown
Florida Memorial University
Source
(New)
EducationYesUnknown
Groton Public Schools
Source 1; source 2
(Update)
EducationYesUnknown
Tech-Quip Inc
Source
(New)
EnergyYesUnknown
Orange County’s Credit Union
Source 1; source 2
(New)
FinanceYesUnknown
Performance Health Technology
Source 1; source 2
(New)
Health careYesUnknown
Trustpoint Rehabilitation Hospital of Lubbock
Source
(New)
Health careYesUnknown
Alamo Insurance Group, Inc.
Source 1; source 2
(New)
InsuranceYesUnknown
LoDan Electronics, Inc.
Source
(New)
ManufacturingYesUnknown
Affinity Health Services
Source 1; source 2
(New)
Professional servicesYesUnknown
KTUA Landscape Architecture and Planning
Source 1; source 2
(New)
Professional servicesYesUnknown
Township of Haverford
Source
(New)
PublicYesUnknown
White Oak Partners
Source
(New)
Real estateYesUnknown
Pennsylvania Southeast Conference U C C
Source
(New)
ReligiousYesUnknown
Hot Topic
Source 1; source 2
(New)
RetailYesUnknown
Timberland
Source
(New)
RetailYesUnknown
Anyscale
Source
(New)
SoftwareYesUnknown
Top.gg Discord bot community
Source
(New)
SoftwareYesUnknown
Traverse City Area Public Schools
Source
(New)
EducationUnknownUnknown
City of St. Cloud, FL
Source
(New)
PublicUnknownUnknown
Gilmer County Government
Source
(New)
PublicUnknownUnknown

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicized in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.


AI

OMB issues first government-wide policy to mitigate risks and harness benefits of AI

Vice President Harris announced that the White House OMB (Office of Management and Budget) is issuing its first government-wide policy to mitigate the risks, and harness the benefits, of AI. This delivers on a key element of President Biden’s Executive Order on safely developing and using AI.

The OMB’s new policy is aimed at federal agencies, and looks to “strengthen AI safety and security, protect Americans’ privacy, advance equity and civil rights, stand up for consumers and workers, promote innovation and competition, advance American leadership around the world, and more.”

Researchers reveal new quantum AI model that allegedly identifies 100% of attacks

Multiverse Computing and CounterCraft have revealed a new quantum AI model: the MPS (Matrix Product State) model. It’s been trained on data sets from real network traffic and system logs, and “significantly improves” attack detection compared to traditional methods, supposedly identifying 100% of cyber attacks.

Enforcement

Med-Data settles data breach lawsuit for $7 million

The Texas-based revenue cycle management company Med-Data has agreed to a $7 million settlement to resolve a breach from 2018–2019, involving the health data of around 136,000 people.

Utah amends its data breach notification law

Utah’s governor signed the Online Data Security and Privacy Amendments (Senate Bill 98) into law. This bill “amends provisions related to cybersecurity, breach notification requirements, and authorized domain name extensions.”


Recently published reports


Other news

DoD established new office: the Office of the Assistant Secretary of Defense for Cyber Policy

The U.S. Department of Defense has established a new office – the OASD(CP), or Office of the Assistant Secretary of Defense for Cyber Policy – on March 20.

The ASD(CP) – Assistant Secretary of Defense for Cyber Policy – is responsible for “all matters related to cyber-related activities that support or enable DoD missions in, through, and from cyberspace.”

Proposed amendment to the Cyber Incident Reporting for Critical Infrastructure Act of 2022

The U.S. Department of Homeland Security has filed a draft to amend the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022). The amendment requires CISA (Cybersecurity and Infrastructure Security Agency) to “promulgate regulations implementing the statute’s covered cyber incident and ransom payment reporting requirements for covered entities.”

The proposed rule is currently unpublished – the scheduled publication date is April 4. CISA invites comments on the proposal until 60 days after publication.


Key dates

March 31, 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) was retired on March 31, and replaced by version 4.0 of the Standard.

April 30, 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by April 30. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.


That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.


Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Tuesday, you’ll get a short email with:

  • Industry news, including this weekly round-up
  • Our latest research and statistics
  • Free useful resources
  • Upcoming webinars
  • Other ways we can help