1/12/2024 0 Comments Dna diagnostics center careersThe detection, investigation, containment, response to, eradication, and recovery from security incidents within reasonable time periods.The implementation of an incident response plan that mandates DDC employees to respond to any alerts generated from the company’s security monitoring systems, along with the documentation of actions to such alerts.The maintenance of an updated data/asset inventory of DDC’s entire network and the disabling and/or removal of any unnecessary assets.Personal information must be transmitted and stored so that it is only accessible to people and systems that need such information for a legitimate business purpose.The assessment of risks associated with acquired technical assets (e.g., systems applications, or devices) containing personal information and the subsequent removal of such information serving no legitimate business purpose or utility to consumers.The settlement specifically requires DDC to implement the following safeguards: ![]() On an annual basis, the company must also conduct comprehensive risk assessments, provide security awareness training to appropriate personnel, and evaluate the overall effectiveness of its information security program. Additionally, DDC’s information security program must include documented methods and criteria for handling information security risks to such personal information. The settlement requires DDC to develop, implement, and maintain a comprehensive information security program that is reasonably designed to safeguard the security, integrity, and confidentiality of the company’s collected, stored, transmitted, and/or maintained personal information. The policy represented that the company implemented “reasonable measures to detect and prevent unauthorized access to computer network.” The Ohio and Pennsylvania Attorneys General alleged that DDC engaged in deceptive or unfair business practices by making material misrepresentations in its customer-facing privacy policy concerning its safeguarding of its customers’ personal information. Prior to the breach, DDC conducted an inventory assessment and penetration test on its systems, however, the legacy databases that stored sensitive personal information in plain text were not identified, as the assessments singularly focused on active customer data. Furthermore, the AOD notes that the threat actor used a decommissioned server to exfiltrate the data. The Assurance of Voluntary Compliance (“AOC”) noted that at the time the hacker accessed the VPN, DDC had recently migrated to a different VPN, meaning no one should have been using the VPN that the hackers used. In its internal investigation of the incident, DDC found that an unauthorized third party had logged in via VPN on May 24 using a DDC account, having harvested credentials from a domain controller that provided password information for each account in the network. The malware was loaded onto DDC’s network by threat actors that ultimately facilitated the extraction of patient data, which was subsequently used to extort a payment from DDC in exchange for its promised deletion. DDC claims it was unaware that this data was transferred as a part of its acquisition of Orchid.ĭDC allegedly received indications of suspicious activity in the database from a security vendor as early as May 2021, but did not activate its incident response plan until August 2021 after the vendor identified signs of malware. ![]() These databases contained the personal information of over 2 million individuals who received DNA testing services between 20, including names, payment information, and social security numbers. The breach involved databases that were not used for any active business purpose, but had been acquired by DDC as a part of a 2012 acquisition of Orchid Cellmark. As a part of the settlement, which resolves alleged violations of Ohio and Pennsylvania consumer protection laws, DDC will pay $400,000 in fines and will be required to implement improved security practices.ĭDC, one of the world’s largest private DNA testing companies, suffered the breach in November 2021. On February 16, 2023, the Attorneys General of Ohio and Pennsylvania announced a settlement with Ohio-based DNA Diagnostics Center (“DDC”) for a 2021 data breach which involved 2.1 million residents nationwide, including the social security numbers of over 45,000 Ohio and Pennsylvania residents.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |