Cybersecurity and Data Breaches

September 8, 2023

Kaiser Foundation Health Plan, Inc., and Kaiser Foundation Hospitals have agreed to pay $49 million to settle claims of unlawfully disposing hazardous medical waste and protected health information for 16 different facilities.  The misconduct violated California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, Unfair Competition Law, and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Under the settlement, Kaiser must also retain an independent third-party auditor to ensure Kaiser’s compliance with applicable laws.  CA AG

September 5, 2023

Verizon Business Network Services LLC has agreed to pay over $4 million in connection with its Managed Trusted Internet Protocol Service (MTIPS), which provides federal agencies with secure connections to the internet.  The company self-disclosed that its MTIPS service failed to comply with General Services Administration (GSA) contracts because it didn’t satisfy required cybersecurity protocols.  DOJ

July 19, 2023

Amazon.com Inc. and its wholly-owned subsidiary Amazon.com Services LLC have agreed to pay a $25 million civil penalty to resolve allegations that its voice assistant service Alexa violated the Federal Trade Commission Act, Children’s Online Privacy Protection Act, and Children’s Online Privacy Protection Rule.  Since at least May 2018, Amazon has retained indefinitely and by default voice recordings of children interacting with Alexa. The company also falsely represented that such recordings, including transcriptions and geolocation information, could be deleted by Alexa users, when in fact user deletion requests were not always honored.  As part of the settlement, Amazon will have to identify and delete inactive child profiles and notify users about its retention and deletion practices.  DOJ

June 27, 2023

ACI Worldwide and its subsidiary, ACI Payments, will pay a $25 million civil penalty for improperly initiating around $2.3 billion in unlawful mortgage payment transactions, impacting nearly 500,000 homeowners with mortgages serviced by Mr. Cooper f/k/a Nationstar. ACI offers payment processing services across a wide range of industries. ACI conducted tests of its electronic payments platform on April 23, 2021. Rather than using deidentified, dummy data, ACI used client data files from Mr. Cooper instead, causing massive overdraft fees and other negative financial consequences to the unsuspecting borrowers. The CFPB found ACI in violation of the Consumer Financial Protection Act and the Electronic Fund Transfer Act, for illegally initiating withdrawals from borrower bank accounts, and improperly handling sensitive consumer data. ACI must pay the $25 million as well as adopt and enforce reasonable information security practices, and is prohibited from processing payments without obtaining proper authorization. CFPB

May 18, 2023

Google has agreed to pay almost $40 million to the State of Washington for misleading consumers about its location tracking practices.  The company had led consumers to believe they had control over their location data, but in reality, regardless of consumers’ stated preferences, the company collected, stored, and profited from consumer location data.  AG WA

May 17, 2023

EyeMed Vision Center has entered into a settlement agreement with the states of Florida, New Jersey, Oregon, and Pennsylvania to resolve allegations of compromising the personal and medical information of about 2.1 million people in a data breach in June 2020.  In addition to paying $2.5 million, Eyemed has agreed to implement additional security measures to protect the privacy of its customers, including reporting all data breaches immediately.  NJ AG; OR AG

October 12, 2022

The owner of popular fashion ecommerce websites SHEIN and ROWME, Zoetop Business Company, Ltd., has agreed to pay $1.9 million to settle charges that it failed to properly safeguard consumer information, failed to protect accounts impacted by a data breach, and downplayed the extent of the breach to consumers.  In June 2018, attackers stole the names, email addresses, hashed passwords, and credit card information of 39 million SHEIN consumers worldwide, but Zoetop failed to alert more than 32.5 million of them that their login credentials had been compromised.  Two years later, Zoetop discovered that 7 million ROWME consumers were also affected.  AG NY

October 4, 2022

Sebastian Vachon-Desjardins, a Canadian man who participated in a ransomware attack that affected victims around the world—including companies, municipalities, emergency services, hospitals, law enforcement, school districts, and higher education institutions—has been sentenced to 20 years in prison and ordered to forfeit $21.5 million; a restitution order will be issued at a later date.  According to the government, Vachon-Desjardin’s NetWalker ransomware had taken advantage of the COVID-19 pandemic to specifically target organizations in the healthcare sector.  USAO MDFL

September 20, 2022

Morgan Stanley Smith Barney LLC (MSSB) has agreed to pay $35 million to the SEC to settle charges of failing to protect the personal identifying information (PII) of some 15 million customers.  Between 2015 to 2020, MSSB failed to properly encrypt PII or properly dispose of devices and servers containing PII.  As a result, decommissioned devices containing unencrypted PII were resold by a third party via an internet auction site, and 42 decommissioned servers containing unencrypted PII went missing entirely.  SEC