Right To Know - April 2025, Vol. 28

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

 

State Action: 

• NY Attorney General Sues National General and Allstate for Failing to Protect Consumer Data in Back-to-Back Breaches: New York Attorney General Letitia James has filed a lawsuit against National General and Allstate Insurance for failing to protect the personal information of more than 165,000 New Yorkers in two consecutive data breaches. The lawsuit alleges that National General’s weak cybersecurity measures allowed online attackers to steal driver’s license numbers in 2020 and 2021. The complaint alleges that after the first breach, the company failed to notify affected consumers or implement necessary security enhancements, leading to a second, larger breach months later. The breaches occurred because National General’s online quoting websites automatically displayed full driver’s license numbers with minimal input, making it easy for cybercriminals to exploit. Despite discovering the first breach, National General neglected to take corrective action, leaving another system vulnerable to a subsequent attack. The breaches persisted even after Allstate acquired National General and assumed control of its data security. Attorney General James is seeking penalties for the companies’ failure to secure consumer data and notify affected individuals, as required by New York law.

Regulatory: 

• HHS OCR Settles HIPAA Security Rule Case with Health Fitness Corporation: The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Health Fitness Corporation, based in Illinois, resolving potential violations under the HIPAA Security Rule. This marks OCR’s fifth enforcement action in its Risk Analysis Initiative, emphasizing compliance with cybersecurity standards for electronic protected health information (ePHI). The investigation found Health Fitness failed to conduct a comprehensive risk analysis, leading to ePHI exposure due to server misconfiguration. As part of the resolution, Health Fitness agreed to a corrective action plan and paid $227,816.
• Trump Executive Order Seeks Shift in Cybersecurity Response to States: In an executive order issued on March 19, 2025, President Trump called for states and local municipalities to develop strategies and make investments to secure key infrastructure from cyber attacks. While the move, part of a wider push to revamp the Federal Emergency Management Agency, does call for federal agencies to publish a strategy for better addressing cybersecurity risks, it also comes after the Department of Homeland Security slashed funding for cybersecurity information sharing centers.

Litigation & Enforcement: 

• ChatGPT Sued Under GDPR For Hallucination: Arve Hjalmar Holmen, a Norwegian man, sued OpenAI under the GDPR for the “processing of personal data that results in inaccurate outputs.” According to the complaint, Mr. Holmen asked OpenAI’s ChatGPT “Who is Arve Hjalmar Holmen?”  The AI tool responded with some accurate information — such as Mr. Holmen’s hometown and the ages of his children — but also provided significant inaccurate information, including that Mr. Holmen was convicted of murdering two of his children, attempting to murder his third child, and was sentenced to 21 years in prison.  The complaint seeks deletion of the inaccurate data, an order that OpenAI “fine tune” its AI model to produce accurate results, restrict the processing of Mr. Holmen’s data by OpenAI, and an appropriate fine.
• Defense Contractor Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations: MORSECORP Inc. has agreed to pay $4.6 million to settle alleged violations the False Claims Act by failing to meet cybersecurity requirements in connection with U.S. Army and Air Force contracts. The company admitted to using a third-party email host that did not meet federal security standards and failing to fully implement required cybersecurity controls from 2018 to 2023. Additionally, MORSE misrepresented its NIST SP 800-171 security controls implementation score to the Department of Defense, only correcting it after receiving a subpoena. Federal officials emphasized the importance of holding contractors accountable for cybersecurity compliance to protect sensitive defense data.

International Updates: 

• WhatsApp Challenge to European Data Protection Board Might be Able to Proceed: WhatsApp (a division of Meta Platforms) will have taken some encouragement on 27th March when an advisor to the EU’s top court (CJEU) recommended in a non-binding opinion that a challenge by WhatsApp to the European Data Protection Board (EDPB) (in respect of a direction to the Irish Data Protection Commission to increase a fine against WhatsApp) is admissible and should be referred to the EU’s general court for a substantive decision. It is believed this would (if followed by the CJEU) be the first time that a private entity such as a company has been permitted to sue the EDPB.
• EU Commission to Invest €1.3 Billion in AI, Cyber and Digital Skills: The EU Commission has announced a €1.3 billion investment through the Digital Europe Programme for 2025 to 2027, focusing on AI, cybersecurity and digital skills. This is a play on “securing European tech sovereignty” according to EU Commission digital chief Henna Virkkunen.
• ICO Fines Software Group £3 Million Following 2022 Ransomware Attack: The UK Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group (“Advanced”) over £3 million for failing to comply with security regulations, following an in-depth investigation triggered by a 2022 ransomware attack. The investigation revealed that personal data of approximately 80,000 individuals was compromised, including sensitive details on accessing the homes of 890 people receiving care. The breach occurred when a threat actor accessed Advanced’s systems through a customer account lacking multi-factor authentication. Additionally, the incident disrupted critical services, leading the ICO to classify Advanced’s systems as insecure. While the initial fine was higher, it was reduced due to Advanced’s proactive cooperation with UK agencies to mitigate risks for those affected.
• European Data Protection Board launches its Coordinated Enforcement Framework action for 2025: The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) action for 2025 focusing on the implementation of the right to erasure under Article 17 GDPR. The right to erasure is one of the most frequently exercised rights and one about which DPAs frequently receive complaints. Thirty-two European privacy regulators will investigate the status of the right through national coordinated actions and the results will be available in the EDPB report early next year.
• Finnish SA Imposes Administrative Fine on Sambla Group for Data Security Neglect: The Finnish SA has imposed an administrative fine of €950,000 on Sambla Group after finding the Group’s loan comparison services lacked adequate restrictions to prevent third parties from accessing customer data in loan applications. The contents of the customer’s loan applications were accessible to third parties through personal URLs intended for the customer which were targeted with phishing and resulted in disclosure of personal data to third parties.

Industry Updates: 

• Supply Chain Attack Causes GitHub Tool to Dump Secrets: The Cybersecurity & Infrastructure Security Agency (“CISA”) acknowledged that malicious code injected into a commonly used GitHub tool forces the tool to dump credentials from the projects it is used in, potentially including valid access keys, GitHub Personal Access Tokens, npm tokens, and private RSA keys. It’s estimated that 23,000 GitHub repositories use this tool. The malicious code is believed to have first been added to GitHub action that was then incorporated this tool.
• 23andMe Files Bankruptcy Raising Questions About Data Privacy: DNA testing company 23andMe filed for Chapter 11 bankruptcy on March 23, seeking authorization to sell substantially all of its assets. Included is 23andMe’s vast amount of DNA and related information on its 15 million customers.  The filing and intention of a sale raises numerous questions about how the privacy of those individuals will be protected in the sale.  The California and New York  Attorneys General have recommended individuals delete their information.
• Medusa Ransomware Uses Stolen Credentials and Malicious Driver to Disable Advanced Protections: Elastic Security Labs found that one of the most active ransomware groups of late, Medusa, during an attack using stolen certificates and a malicious driver (dubbed ABYSSWORKER) to turn off victim end-point-detection-and response (EDR) software. By using stolen certificates, the attack does not raise the sort of suspicions that other attacks may raise and by turning off the EDR software, the attack disables one of the most crucial pieces of defense that companies have. The vulnerability in the driver can be addressed by updating software to the latest versions — the exploited driver is not currently used and is outdated — again, emphasizing the need to make sure all software used on your systems is updated and properly patched.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.