As the year comes to an end, we take a look back at the final data breaches announced in the news. In 2020, data breaches have exposed consumers’ Personally Identifiable Information (PII) at an alarming rate, putting close to three hundred million people at risk of identity theft and fraud. And a staggering 36 billion records were exposed through the end of September 2020, with 21% of reported breaches of those breaches involving the use of increasingly popular ransomware attacks.
Here are the recent data breaches that made headlines in December 2020:
Blackbaud, a cloud-based fundraising database management vendor for non-profits and educational institutions, became victim to a ransomware attack beginning in February 2020, which remained undetected until May 2020. Blackbaud paid the ransom and received confirmation the data had been destroyed. Before deleting the data, the cybercriminals copied sensitive data from over 6 million donors, potential donors, patients, and community members including names, emails, phone numbers, dates of birth, genders, provider names, dates of service, department visited, and philanthropic giving history. A recent SEC filing in September 2020, reveals hackers gained access to more unencrypted data than originally reported, including Social Security numbers, financial accounts, and payment information. Hundreds of Blackbaud’s impacted clients continue to disclose the data incident, including Inova Health (1.5 million), Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595). Several organizations in Vermont were also included in the breach, such as the Vermont Foodbank, Middlebury College, and Vermont Public Radio.
One of the world’s largest security firms, FireEye, disclosed an unauthorized third-party actor accessed their networks and stole the company’s hacking software tools. The highly sophisticated hacker also attempted to search and gather information related to the company’s government customers.
Dental Care Alliance
A cyberattack on healthcare provider, Dental Care Alliance, exposed sensitive personal and medical information of over 1 million patients. The attack exposed patient names, addresses, dental diagnosis and treatment information, patient account numbers, billing information, bank account numbers, the name of the patient’s dentist, and health insurance information.
An undisclosed number of users of the audio streaming service, Spotify, have had their passwords reset after a software vulnerability exposed account information. A data breach notification filed by Spotify claims the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.”
Tufts Health Plan, Aetna, Blue Cross Blue Shield & EyeMed
A phishing attack on the vision benefits management company, EyeMed, exposed the personal and medical information of hundreds of thousands of health plan members, including 484,157 Aetna members (announced on December 28, 2020,) 60,545 members of Tufts Health Plan, and 1,300 members of Blue Cross Blue Shield of Tennessee. The information disclosed during the attack included names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification numbers, Medicaid or Medicare numbers, driver’s license, birth or marriage certificates. For a smaller number of members, partial or full social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and passport numbers were also included.