We are finally at the end of 2023, and as each month has consistently shown us, cybersecurity incidents occur no matter the time of year. December has already witnessed cyber events ranging from a massive data breach in the healthcare industry to class action lawsuits being filed against a prominent mortgage servicer. Here’s a quick recap of some of the most important cybersecurity developments that have occurred this past month.
Massive Healthcare Data Breach
Perry Johnson & Associates (PJ&A), a medical transcription company, faced a cyberattack in March that compromised the personal information of nearly 9 million patients. Hackers gained access to patient details, encompassing full names, dates of birth, medical record numbers, Social Security numbers, insurance information, and medical transcription files between March and May. While financial information remained secure, healthcare providers like Cook County Health (CCH) and Northwell Health initiated data breach notifications for affected patients, with CCH notifying 1.2 million individuals about exposed medical records. Approximately four million individuals impacted by the PJ&A breach are awaiting notifications. To address potential fraud or identity theft risks, affected individuals are urged to check their mail and email for breach notices, while companies may provide free access to identity theft protection services for a year. Continuous monitoring of bank statements is advised to detect unauthorized transactions or fraudulent activities. The situation is dynamic, with ongoing updates expected from healthcare providers and PJ&A, emphasizing the importance of regular checks for evolving developments.
New Cybersecurity Rules for NY Financial Institutions
Effective from November 1, 2023, the New York State Department of Financial Services has introduced more stringent cybersecurity regulations for financial institutions. These changes encompass a fortified framework for risk assessment, incident response, business continuity, and disaster recovery planning. Affected institutions are now demanded to report incidents to within 72 hours, with ransom payments requiring disclosure within a day. Simultaneously, there is a mandate for boards of directors to uphold a higher level of cyber expertise, personally overseeing cybersecurity risk management. The appointment of a Chief Information Security Officer (CISO) is now obligatory and is responsible for an annual assessment of the cybersecurity program. The senior governing body must possess a sufficient understanding of cybersecurity matters and ensure the program’s adequacy. The reporting time for cybersecurity incidents has been reduced to 72 hours, emphasizing a quicker response, and this shift reflects customer demand for increased transparency and accountability in cybersecurity. These regulations underscore the evolving landscape where cybersecurity is integral to business operations, aligning with market forces and heightened customer expectations.
Mortgage Servicer Faces Lawsuit After Security Breach
Following a cyberattack that halted its servicing systems and exposed customer data, Mr. Cooper, a prominent mortgage servicer, is now contending with two class action lawsuits. The legal actions, filed in a Texas federal court, allege that Mr. Cooper violated industry standards for safeguarding personally identifiable information and was negligent in promptly notifying affected individuals of the data compromise. Represented by Nancy Randall, the lawsuit demands comprehensive disclosure of compromised information and urges Mr. Cooper to adopt robust security measures to prevent future incidents. Despite the company’s reboot of systems and resumption of full customer service for its nearly 4.3 million customers, the lawsuit emphasizes a delay in notifying victims, potentially depriving them of timely mitigation. Court documents underscore the long-lasting ramifications of failing to secure personally identifiable information, with potential fraudulent use and damage extending over an extended period. Analysts foresee a financial impact on Mr. Cooper, anticipating lowered fourth-quarter estimates and additional vendor costs of $5 to $10 million. Reports from Keefe, Bruyette & Woods, Inc., BTIG, and Moody’s Investor Service provide varying insights into the breach’s potential effects on Mr. Cooper’s mortgage servicing earnings, client base, and credit quality, depending on the duration of disruptions and reputational damage.
Contact SWK Today
To prepare yourself for whatever hackers throw your way, you need to stay on top of any and all cybersecurity-related developments in real-time. This may seem like a full-time job in addition to your daily responsibilities, but fortunately, SWK is here to help. Contact us today and speak with our team of cybersecurity experts to learn what you need to do in order to stay safe in our digital world.