Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
United States Government Security

Data Collected by the US Justice Department Exposed in Consultant's Breach (securityweek.com) 9

DOJ-Collected Information Exposed In Data Breach Affecting 340,000 Information Collected An anonymous reader shared this report from Security Week: Economic analysis and litigation support firm Greylock McKinnon Associates, Inc. (GMA) is notifying over 340,000 individuals that their personal and medical information was compromised in a year-old data breach. The incident was detected on May 30, 2023, but it took the firm roughly eight months to investigate and determine what type of information was compromised and to identify the impacted individuals.



According to GMA's notification letter to the affected individuals, a copy of which was submitted to the Maine Attorney General's Office, both personal and Medicare information was compromised in the data breach... "This information may have included your name, date of birth, address, Medicare Health Insurance Claim Number (which contains a Social Security number associated with a member) and some medical information and/or health insurance information," the notification letter reads.

The compromised data, GMA says, was obtained by the US Department of Justice "as part of a civil litigation matter". More than 340,000 individuals were affected by the data breach, the company told the Maine Attorney General's Office. The impacted individuals, however, are "not the subject of this investigation or the associated litigation matters", the company tells the affected individuals.

This discussion has been archived. No new comments can be posted.

Data Collected by the US Justice Department Exposed in Consultant's Breach

Comments Filter:
  • by WindBourne ( 631190 ) on Saturday April 13, 2024 @07:09PM (#64392460) Journal
    It is LONG past time for us to be able to SUE companies for this, AND to have criminal investigations against the C*O of companies that are breached. Why? Because they are not doing what is needed to protect this data. It is really not that hard to do.
    • And sue the federal government when they fail to follow their own rules or provide oversight over the companies they contract with. I agree with sovereign immunity when they do their job, but when they make a mistake they should be held accountable by the injured party.
      • by Sebby ( 238625 )

        I agree with sovereign immunity when they do their job, but when they make a mistake they should be held accountable by the injured party.

        10000x this.

      • by CaptQuark ( 2706165 ) on Saturday April 13, 2024 @09:47PM (#64392640)

        ... fail to follow their own rules or provide oversight over the companies they contract with.

        I agree agencies should be held accountable when they make mistakes, but this problem was caused by a ransomware attack on the contracted consulting company.

        Greylock McKinnon Associates (GMA) was analyzing Medicare fraud information for the DOJ when GMA was the victim of a ransomware attack. The report in the HIPAA journal referenced here does not list how the ransomware attack happened, or if GMA was following all best practices when the attack occurred, but it would be difficult to blame the DOJ for not preventing the ransomware attack. https://www.hipaajournal.com/m... [hipaajournal.com]

        • The company wasnâ(TM)t following all the rules, otherwise the breach would not have happened. Moreover, they immediately deleted the rest of the data after the breach indicating that they didnâ(TM)t need the data in the first place and that someone initially hoped that just getting rid of it would have solved their problem and then the DOJ, aware for more than a year now, neither informed the victims nor charged the company.

          This is criminal behavior on the part of DOJ and the company, but neither

    • The bar for filing a small claims nuisance suit is quite low in most if not all states. If everyone would sue them for their data handling practices creating a nuisance situation. 380,000 small claims cases would have them begging for a class action lawsuit. Wording the lawsuit to state that the enjoyment of your home has been impaired because of their actions requiring you to spend time in response to their poor behavior monitoring and worrying about your credit would be important.
  • The impacted individuals, however, are "not the subject of this investigation or the associated litigation matters", the company tells the affected individuals.

    Then WTF was their information "part of a civil litigation matter" if it wasn't relevant to them?!?

    Also:

    it took the firm roughly eight months to investigate and determine what type of information was compromised and to identify the impacted individuals

    Meaning for eight months, these innocent individuals, which have nothing to do with anything about this "civil litigation matter", have been at risk, or more likely victims, of identity fraud.

    • or worse. There's cases of people using "confidential" information to blackmail or extort people. Cases of them using information such as kids info to create attacks for false ransom, etc.
  • by 93 Escort Wagon ( 326346 ) on Saturday April 13, 2024 @09:38PM (#64392632)

    Was there actually a good reason for this Justice Department data to have been copied over to the consultant-owned machines at all?

"Show me a good loser, and I'll show you a loser." -- Vince Lombardi, football coach

Working...