Cyber Gossip from π: In December, Data Leak / Data Breach from EU, USA, Singapore, Turkey

 

EU 2024

Authority Italian Data Protection Authority (Garante)

Company Selectra S.p.A. - Italy

Summary The Italian DPA has imposed a fine of EUR 80,000 on Selectra S.p.A.. A former employee had lodged a complaint with the DPA on the grounds that the controller was able to access their e-mail inbox even after the termination of the employment relationship. The DPA found that such a long retention period for e-mails (in some cases three years after the termination of the employment relationship) was excessive. The DPA also found that the controller had not provided the data subjects with sufficient information about the data processing (e.g. regarding the retention period for e-mail data).

https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/10053224

Authority Spanish Data Protection Authority (aepd)

Company        Individuals and Private Associations

Summary The Spanish DPA has imposed a fine of EUR 2,000 on a private individual for installing video surveillance cameras without a valid legal basis.

Direct URLhttps://www.aepd.es/documento/ps-00362-2023.pdf

Authority Spanish Data Protection Authority (aepd)

Sector Not assigned

Summary The Spanish DPA imposed a fine of EUR 3,000 on PLAY FUL KIDS, S.L. due to an incident that occurred during a children's birthday party on the premises of the controller involving guests and employees. Following the event, the guests posted negative reviews on Google. In response, the data controller shared surveillance footage showing minor guests without a valid legal basis via WhatsApp to pressure the guests into withdrawing their reviews.

https://www.aepd.es/documento/ps-00202-2023.pdf

Authority Norwegian Supervisory Authority (Datatilsynet)

Sector Public Sector and Education

Summary The Norwegian DPA fined Grue municipality EUR 20,800 following the municipality's notification of a data breach. The municipality reported that personal data of students had been unlawfully published on a public portal. During its investigation, the DPA found that the municipality had not taken sufficient technical and organizational measures to ensure the protection of personal data.

https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2024/overtredelsesgebyr-til-grue-kommune/

USA December

Breach Report Results

Expand All	Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Breach Submission Date	Type of Breach	Location of Breached Information
	CHCM, Inc. dba College Hospital Costa Mesa	CA	Healthcare Provider	591	12/18/2024	Hacking/IT Incident	Network Server
	Ott Cone & Redpath, P.A.	NC	Business Associate	22171	12/18/2024	Hacking/IT Incident	Email
	PracticeSuite, Inc.	FL	Business Associate	13000	12/17/2024	Hacking/IT Incident	Other
	California Correctional Health Care Services	CA	Healthcare Provider	1416	12/17/2024	Loss	Paper/Films
	Massachusetts Department of Mental Health	MA	Healthcare Provider	959	12/16/2024	Loss	Other, Other Portable Electronic Device
	Brockton Neighborhood Health Center	MA	Healthcare Provider	97488	12/13/2024	Hacking/IT Incident	Network Server
	Summit Medical Group, PLLC	TN	Healthcare Provider	611	12/13/2024	Hacking/IT Incident	Email
	Northwest Asthma and Allergy Center	WA	Healthcare Provider	1000	12/12/2024	Hacking/IT Incident	Email
	ConnectOnCall.com, LLC	DE	Business Associate	914138	12/11/2024	Hacking/IT Incident	Network Server
	River Region Cardiology	AL	Healthcare Provider	500000	12/11/2024	Hacking/IT Incident	Network Server
	Rumpke Consolidated Companies, Inc. & Affiliates Benefits Plan	OH	Health Plan	16946	12/10/2024	Hacking/IT Incident	Network Server
	UT Southwestern Medical Center	TX	Healthcare Provider	43048	12/09/2024	Unauthorized Access/Disclosure	Email
	Center for Vein Restoration	MD	Business Associate	446094	12/05/2024	Hacking/IT Incident	Network Server
	Veterans Health Administration	DC	Healthcare Provider	2302	12/03/2024	Hacking/IT Incident	Network Server
	FC Compassus, LLC	TN	Healthcare Provider	2703	12/02/2024	Hacking/IT Incident	Email
	SAG-AFTRA Health Plan	CA	Health Plan	35592	12/02/2024	Hacking/IT Incident	Email
	Atrium Health	NC	Healthcare Provider	585959	12/02/2024	Unauthorized Access/Disclosure	Network Server

Singapore November

Breach of the Protection Obligation by HMI Institute of Health Science

29 Nov 2024

A financial penalty of $10,000 was imposed and directions were issued to HMI Institute of Health Science for failing to put in place reasonable security arrangements to protect the personal data of former students.

Click here for more information.

Turkey November - December

19 December

Public Announcement (Data Breach Notification) – Karadeniz Holding A.Ş.

As is known, Article 12, paragraph (5) of the Law No. 6698 on the Protection of Personal Data titled “Obligations regarding data security” stipulates that “In the event that the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible. If necessary, the Board may announce this situation on its own website or by another method it deems appropriate.”

In the personal data breach notification submitted to the Board by Karadeniz Holding AŞ, which is the data controller, it is summarized as follows;

It is stated that the breach is thought to have occurred due to a cyber attack, and since detailed information on the subject has not yet been determined, studies and research are ongoing,

The dates of the breach starting and ending are uncertain and the breach was detected on 10.12.2024, the breach was detected as a result of a routine security check performed after the internet outage on the relevant date,

No determination has yet been made regarding the personal data categories affected by the breach,

Efforts to determine the number of people and records affected by the breach are ongoing and no determination has yet been made.

Although the investigation on the subject is ongoing, it has been decided by the Personal Data Protection Board's decision dated 19.12.2024 and numbered 2024/2193 to announce the data breach notification in question on the Institution's website.

Respectfully announced to the public.

12 December

Public Announcement (Data Breach Notification) – Anıl Özel Sağlık Hizmetleri Turizm Ticaret Limited Şirketi (Özel Hisar Tıbbi Merkezi)

As is known, Article 12, paragraph (5) of the Law No. 6698 on the Protection of Personal Data titled “Obligations regarding data security” stipulates that “In the event that the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible. If necessary, the Board may announce this situation on its own website or by another method it deems appropriate.”

In the data breach notification submitted to the Board by Anıl Özel Sağlık Hizmetleri Turizm Ticaret Limited Şirketi, which is the data controller, it is summarized as follows;

The breach occurred between 22.11.2024-24.11.2024 and was detected on 02.12.2024,

The breach occurred as a result of a cyber attack, but there is no detailed information about the subject,

The data controller cannot currently access the data subject to the breach,

The number of people and records affected by the breach is not yet known,

The relevant person groups affected by the breach are employees and patients,

Health information and identity data were affected by the breach, but there is no detailed information about the subject,

The relevant people can get information about the data breach through the data controller's website and physical desks.

Although the investigation regarding the subject is ongoing, it was decided by the Personal Data Protection Board's Decision dated 12.12.2024 and numbered 2024/2112 to announce the data breach notification on the Institution's website.

Respectfully announced to the public.