DNA Diagnostics Center (DDC), one of the largest private DNA testing laboratories in the United States, has been fined a total of $400,000 by state attorneys general in Pennsylvania and Ohio for violations of state laws that contributed to a breach of the personal information of almost 46,000 Pennsylvania and Ohio residents, and approximately 2.1 million individuals across the United States.
The data breach that prompted the investigation was discovered by DDC on August 6, 2021, when suspicious activity was detected in some of its archived databases. The investigation determined the databases had been accessed by unauthorized individuals between May 24 and July 28, 2021, and certain files and folders had been removed. The databases contained the sensitive information of individuals who had received DNA testing services between 2004 and 2012, including 33,300 individuals in Pennsylvania and 12,600 individuals in Ohio. The information included sensitive customer information including names, Social Security numbers, and payment information.
The databases had been obtained from a company called Orchid Cellmark, which DDC acquired in 2012. The databases had been archived and were not used for any business purposes and, according to DDC, were inadvertently transferred as part of the acquisition, without the knowledge of DDC. Nine years after the acquisition, DDC was still unaware that the databases existed in its systems. DDC said it had conducted penetration tests and an inventory assessment prior to the data breach occurring, but those assessments and tests only identified active customer data and did not reveal the presence of the archived databases on its systems.
Prior to the data breach, DDC contracted with a third-party service provider to conduct data breach monitoring. That company detected the data breach and attempted to contact DDC on multiple occasions via automated email alerts, but employees failed to respond for two months. During those two months, malware – Cobalt Strike – was installed on the network and data was exfiltrated. The breach investigation confirmed that an unauthorized third party had logged on via a VPN on May 24, 2021, using a DDC user account. Active Directory credentials were harvested from a Domain Controller that provided password information for each account in the network. The VPN used by the threat actor was not in use at DDC, which had migrated to a new VPN. The unauthorized third party used a test account with admin privileges to achieve persistent access and execute Cobalt Strike within its network. Five servers were compromised that contained backups of 28 databases, and a decommissioned server was used to exfiltrate the data. The threat actor then contacted DDC and demanded payment for the return and deletion of the stolen data, and payment was made.
The investigation by the state attorneys general found DDC had “engaged in deceptive or unfair business practices by making material misrepresentations in its customer-facing privacy policy concerning the safeguarding of its customers’ personal information.” It was also alleged that DDC failed to employ reasonable measures to detect and prevent unauthorized access to its computer networks, and as such, engaged in unfair and deceptive cybersecurity practices which exposed customer data to unauthorized access and theft. The state AGs ruled that those failures constituted unfair trading practices and violations of state Consumer Protection Law.
DDC chose to settle the investigations with no admission of wrongdoing. Under the terms of the settlement, DDC agreed to pay $200,000 to Pennsylvania and $200,000 to Ohio, implement and maintain a comprehensive information security program, conduct comprehensive risk assessments at least annually, allocate risk-appropriate resources to protect the personal information of consumers, and conduct an information security program assessment at least annually to review the effectiveness of the information security program.
“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” said Acting Attorney General Henry. “That’s why my Office took action with the assistance of Attorney General Yost in Ohio. I am proud of the work our agents and attorneys do every day to protect Pennsylvanians’ most sensitive information.”
The post State AGs Fine DNA Testing Lab $400,000 for Data Breach appeared first on HIPAA Journal.