Here’s your weekly #databreach news roundup:
Chicago Public Schools, Refuah Health Center, South Australian public servants, Dis-Chem, Oklahoma City Indian Clinic, City of Cincinnati, Parker, and Texas Department of Insurance.
Chicago Public Schools
A massive data breach has exposed four years’ worth of records of nearly 500,000 Chicago Public Schools students and just under 60,000 employees, district officials said Friday.
The attack targeted a company that has a no-bid contract with the school system for teacher evaluations and involved basic information — including students’ dates of birth — but no financial records or Social Security numbers, according to CPS.
The district said there is no evidence the data has been misused, posted or distributed, but offered affected families a year of credit monitoring and identity theft protection.
The teacher evaluation vendor, Battelle for Kids, was targeted in a ransomware attack on Dec. 1 of last year, the district said. CPS was notified via a mailed letter on April 26, but “did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11.”
Refuah Health Center
New York-based Refuah Health Center began notifying 260,740 individuals of a cybersecurity incident that occurred between May 31 and June 1, 2021.
Refuah Health Center discovered unauthorized access and said it immediately launched an investigation. The health center said its investigation concluded on March 2, 2022, but did not explain the year-long gap between discovery and notification.
The impacted information potentially included names, Social Security numbers, medical record numbers, driver’s license numbers, state identification numbers, birth dates, credit and debit card information, financial account information, Medicare/Medicaid numbers, patient account numbers, diagnosis information, and health insurance policy numbers.
South Australian public servants
South Australia’s Treasurer says 13,088 current and former public servants more than previously thought had their personal information stolen in a cyber attack last year.
Treasurer Stephen Mullighan told parliament on Wednesday a “forensic review” by PricewaterhouseCoopers (PwC) uncovered the additional people that had had their personal data stolen, in addition to the 80,000 employees announced by the former government last year.
The data, which included tax file numbers and bank account details, was stolen when the state government’s payroll provider, Frontier Software, was hacked in November.
Pharmacy retailer Dis-Chem has launched an investigation into a data hack at one of its third-party service providers that resulted in an “unauthorised person” accessing the personal details of customers.
In a notice on Wednesday, Dis-Chem said its investigation so far showed that the hacker gained access to first names, surnames, email addresses and cellphone numbers belonging to more than 3.6 million people.
The retailer said it was informed about the breach – which took place in April – at the beginning of this month. It has since taken steps to establishing the scope of the breach and restore the “integrity” of its operating system
“Please note there is currently no indication that any personal information has been published or misused as a result of the incident. However, we cannot guarantee that this position will remain the same in future,” Dis-Chem cautioned.
The retailer added that it was continuing to monitor for any publication of the personal information accessed in the breach.
Oklahoma City Indian Clinic
A newly released notification from Oklahoma City Indian Clinic (OKCIC) on May 12 confirmed that the ongoing network disruption was brought on by a ransomware attack. OKCIC also confirmed that the data breach, which occurred in March, exposed personally identifiable information (PII) and protected the health information of 38,239 patients.
OKCIC first experienced a network disruption on March 10 that impacted its ability to access certain files on its network. The attack led OKCIC to shut down its automatic refill line and mail order service of its pharmacy department.
An investigation by a third-party forensic firm confirmed that an unauthorized party accessed – and possibly retained – sensitive customer information, including name, dates of birth, treatment information, prescription information, medical records, physician information, health insurance policy numbers, phone numbers, Tribal ID numbers, Social Security numbers and driver’s license numbers of customers.
City of Cincinnati
About 2,000 current employees and their dependents, plus an unknown amount of former employees, for the City of Cincinnati were impacted by a data breach involving census data, said Rocky Merz, the city’s director of communications.
The city discovered on April 19 a Request for Proposal (RFP) for dental and vision services inadvertently included census data and posted it on the city’s procurement websites. The RFP was originally posted April 8.
Both personal information and protected health information — including names, home addresses, demographics and insurance information — were shown in the census files. In some cases, Social Security numbers, dental claims and dates of birth were also breached.
The Parker-Hannifin Corporation announced a data breach exposing employees’ personal information after the Conti ransomware gang began publishing allegedly stolen data last month.
Parker is an Ohio-based corporation specializing in advanced motion and control technologies, with a strong focus in aerospace hydraulic equipment. It has a revenue of $15.6 billion and employs over 58,000 people.
Parker-Hannifin says a security incident occurred between March 11 and March 14, 2022, and that it involved a third party who gained unauthorized access to Parker’s computer systems.
“Upon learning of this incident, Parker’s IT team immediately activated its incident response protocols, which included shutting down certain systems,” reads the firm’s notice.
“Parker then launched an investigation with the assistance of a forensic investigation firm and other third-party cyber security and incident response professionals.”
Texas Department of Insurance
A massive security breach at the Texas Department of Insurance leaked the personal information of almost 2 million Texans for nearly three years, according to a state audit released last week.
The department said the personal information of 1.8 million workers who have filed compensation claims – including Social Security numbers, addresses, dates of birth, phone numbers and information about workers’ injuries – was accessible online to members of the public from March 2019 to January 2022.