Here’s your weekly data breach news roundup:
BackNine, Artwork Archive, U.S. driver licenses, Forefront Dermatology, Guess, and Northwestern Memorial Hospital.
A security lapse at insurance technology startup BackNine exposed hundreds of thousands of insurance applications after one of its cloud servers was left unprotected on the internet.
BackNine might be a company you’re not familiar with, but it might have processed your personal information if you applied for insurance in the past few years. The California-based company builds back-office software to help bigger insurance carriers sell and maintain life and disability insurance policies. It also offers a white-labeled quote web form for smaller or independent financial planners who sell insurance plans through their own websites.
But one of the company’s storage servers, hosted on Amazon’s cloud, was misconfigured to allow anyone access to the 711,000 files inside, including completed insurance applications that contain highly sensitive personal and medical information on the applicant and their family. It also contained images of individuals’ signatures as well as other internal BackNine files.
Artwork Archive told ZDNet it received notice a month or so ago about a single open S3 bucket — a folder where it keeps publicly shareable reports. It addressed it, and after a review by its team, it found no suspicious activity. Artwork Archive said it has also alerted users about this issue.
Artwork Archive told ZDNet that the company was made aware of the security issue on May 25 and acted “within the hour” to tackle the security issue. The storage system was secured on the same day.
Researchers say a platform used to connect artists and potential buyers potentially exposed information belonging to users.
U.S. driver licenses
A threat actor has put up over 21,000 U.S. driver licenses for sale on a hacker forum after a data breach.
The seller also told Security Report that they had over 2,000 credit reports and credit application forms containing sensitive customer information, such as names, dates of birth, SSNs, addresses, credit history, and vehicle purchase information.
These documents were allegedly obtained from a vulnerable server belonging to a lending company.
The recent #databreach may have included Forefront Dermatology patients' names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical records, dates of service, accession numbers, provider names, and more.https://t.co/6s8dWJ1Q1J— DevaOnBreaches (@DevaOnBreaches) July 15, 2021
Patients and employees of Forefront Dermatology, S.C., may have had their private information exposed during a recent cyberattack.
The data breach may have included Forefront Dermatology patients’ names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, accession numbers, provider names, and/or medical and clinical treatment information, according to a press release published on July 8.
“There is no evidence that patient Social Security numbers, driver’s license numbers, or financial account /payment card information were involved in this incident,” the Forefront Dermatology release stated.
Forefront, which has offices in 21 states, announced that it identified the cyber incident and is currently notifying patients and employees impacted by the breach.
“We deeply regret any inconvenience or concern this incident may cause,” the release stated. “We take this matter very seriously and are continuing to enhance our security protocols to help prevent a similar incident from occurring in the future.”
The dermatology practice said it wrapped up its investigation into the cyberattack on June 24.
Clothing retailer Guess suffered a ransomware attack and data breach earlier this year that exposed personal information for an unspecified number of individuals.
As Bleeping Computer first reported, citing a data breach notification letter issued by Guess to 1,304 affected Maine residents, Guess says criminal hackers accessed its systems from approximately Feb. 2 to Feb. 23 and that the intrusion was “designed to encrypt files and disrupt business operations.”
Los Angeles-based Guess has 1,580 stores globally, including 280 in the U.S. and 80 in Canada.
“Upon discovery of the incident on Feb. 19, Guess activated its incident response plan and a cybersecurity forensics firm was engaged to assist with the investigation and containment,” Guess’s breach notification says. “On May 26, the investigation determined that personal information related to certain individuals may have been accessed or acquired by an unauthorized actor.”
Potentially exposed information includes Social Security numbers, driver’s license numbers, passport numbers and financial information.
Northwestern Memorial Hospital is urging some of its cancer patients to check their treatment documents after unauthorized access. The breach happened in April at Elekta Inc., a company that provides cancer patient data to the state of Illinois.#databreachhttps://t.co/BFobRHQwID— DevaOnBreaches (@DevaOnBreaches) July 12, 2021
Northwestern Memorial Hospital is urging some of its cancer patients to check their treatment documents after an unauthorized individual got a hold of a database containing patient information.
“We regret this incident occurred and we are committed to protecting the security and privacy of patient information. This incident did not involve access to any of the Northwestern Memorial Healthcare systems, network, or electronic health records,” the hospital said in a statement Friday.
The breach happened in April at Elekta Inc., a company that provides cancer patient data to the state of Illinois, according to Northwestern.
“During that time, the unauthorized individual acquired a copy of the database that stores some of [Northwestern Memorial HealthCare’s] oncology patients’ information,” the hospital said.
The information might have included patient names, dates of birth, Social Security numbers, medical histories and diagnoses.
Northwestern said patients’ financial account and payment card information was not involved.