Data Collected by the US Justice Department Exposed in Consultant's Breach (securityweek.com)
- Reference: 0173515882
- News link: https://news.slashdot.org/story/24/04/13/2314233/data-collected-by-the-us-justice-department-exposed-in-consultants-breach
- Source link: https://www.securityweek.com/doj-collected-information-exposed-in-data-breach-affecting-340000/
> Economic analysis and litigation support firm Greylock McKinnon Associates, Inc. (GMA) is notifying over 340,000 individuals that their personal and medical information was compromised in a year-old data breach. The incident was detected on May 30, 2023, but it took the firm roughly eight months to investigate and determine what type of information was compromised and to identify the impacted individuals.
>
>
>
> According to GMA's notification letter to the affected individuals, a copy of which was [2]submitted to the Maine Attorney General's Office, both personal and Medicare information was compromised in the data breach... "This information may have included your name, date of birth, address, Medicare Health Insurance Claim Number (which contains a Social Security number associated with a member) and some medical information and/or health insurance information," the notification letter reads.
>
> The compromised data, GMA says, was obtained by the US Department of Justice "as part of a civil litigation matter". More than 340,000 individuals were affected by the data breach, the company told the Maine Attorney General's Office. The impacted individuals, however, are "not the subject of this investigation or the associated litigation matters", the company tells the affected individuals.
[1] https://www.securityweek.com/doj-collected-information-exposed-in-data-breach-affecting-340000/
[2] https://apps.web.maine.gov/online/aeviewer/ME/40/865575ae-973b-4430-a06c-d780da040c74.shtml
Then why? (Score:2)
> The impacted individuals, however, are "not the subject of this investigation or the associated litigation matters", the company tells the affected individuals.
Then WTF was their information "part of a civil litigation matter" if it wasn't relevant to them?!?
Also:
> it took the firm roughly eight months to investigate and determine what type of information was compromised and to identify the impacted individuals
Meaning for eight months, these innocent individuals, which have nothing to do with anything about this "civil litigation matter", have been at risk, or more likely victims, of identity fraud.
Re: Then why? (Score:2)
or worse. There's cases of people using "confidential" information to blackmail or extort people. Cases of them using information such as kids info to create attacks for false ransom, etc.
There's another question (Score:2)
Was there actually a good reason for this Justice Department data to have been copied over to the consultant-owned machines at all?
need to change America's laws (Score:2)
It is LONG past time for us to be able to SUE companies for this, AND to have criminal investigations against the C*O of companies that are breached. Why? Because they are not doing what is needed to protect this data. It is really not that hard to do.
Re: need to change America's laws (Score:2)
And sue the federal government when they fail to follow their own rules or provide oversight over the companies they contract with. I agree with sovereign immunity when they do their job, but when they make a mistake they should be held accountable by the injured party.
Re: (Score:2)
> I agree with sovereign immunity when they do their job, but when they make a mistake they should be held accountable by the injured party.
10000x this.
Re: (Score:2)
> ... fail to follow their own rules or provide oversight over the companies they contract with.
I agree agencies should be held accountable when they make mistakes, but this problem was caused by a ransomware attack on the contracted consulting company.
Greylock McKinnon Associates (GMA) was analyzing Medicare fraud information for the DOJ when GMA was the victim of a ransomware attack. The report in the HIPAA journal referenced here does not list how the ransomware attack happened, or if GMA was following all best practices when the attack occurred, but it would be difficult to blame the DOJ for not