Cybersecurity and Data Breaches

May 23, 2019

Sixteen states have reached a settlement with the Medical Informatics Engineering and NoMoreClipboard, LLC, which have agreed to pay $900,000 to resolve allegations that the companies violated the Health Insurance Portability and Accountability Act (HIPAA), unfair and deceptive practice laws, notice of data breach statutes, and state personal information protection laws. The companies provide patient portals to healthcare providers, enabling patients to access their health records. Hackers allegedly infiltrated the companies' servers in May 2015, stealing the information of more than 3.9 million individuals. A consent judgment with specific compliance agreements was also entered by the court.  FL; NC

October 16, 2018

Sudhakar Reddy Bonthu, a former manager at Equifax, was sentenced to 8 months of home confinement and fined $50,000 for insider trading related to Equifax's massive data breach in 2017. As a member of a team tasked with quickly developing an online user interface for 100 million possible victims of a data breach at an unnamed company, Bonthu quickly guessed that the company in question was the one he worked for. In violation of company policy as well as federal law, Bonthu then allegedly bought a large quantity of Equifax stock, specifically put options, which allowed him to profit if the value plummeted within a two week period. Six days later, Equifax announced the breach and its stock value plummeted, netting Bonthu more than $75,000 in fraudulently gained profits. USAO NDGA

September 27, 2018

Uber has reached a $148 million settlement in a multi-state investigation arising from a 2016 data breach, which exposed the drivers’ license data of 600,000 drivers and other personal data from as many as 57 million customers.  Uber learned of the breach when anonymous hackers demanded $100,000 to keep the breach confidential.  Uber paid the hackers, but failed to disclose the breach or notify affected parties until November 2017.  The $148 million settlement, the largest multi-state data breach settlement to date, will be divided among all 50 states and the District of Columbia. Uber also agreed to implement additional security and compliance procedures.  Among the AG announcements: CA, CT, FL, GA, IL, NJ, NY, NC, PA, VA.

June 28, 2018

The SEC charged a former Equifax manager with insider trading in advance of the company’s September 2017 announcement of a massive data breach that exposed Social Security numbers and other personal information of approximately 148 million U.S. customers. This is the second case the SEC has filed arising from the Equifax data breach.  In March, the former chief information officer of Equifax’s U.S. business unit was charged with insider trading. SEC

April 24, 2018

The SEC announced that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts. According to the SEC’s order, within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts. Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc. SEC