Right To Know - February 2025, Vol. 26

Cyber, Privacy, and Technology Report

Welcome to your monthly rundown of all things cyber, privacy, and technology, where we highlight all the happenings you may have missed.

View previous issues and sign up to receive future newsletters by email here. 

State Action: 

• New York on Verge of Enacting Sweeping Consumer Health Privacy Law: The NY Senate and Assembly have sent Senate Bill S929 Governor Kathy Hochul’s desk for signature. Once signed, New York will join a minority of states with comprehensive health-related consumer privacy laws designed to protect health information not protected by HIPAA. The NYHIPA is notable as it has a strict consent regime for unauthorized uses of consumer health information and specific notice requirements. The law also broadly defines what qualifies as Regulated Health Information similar to Washington’s My Health My Data Act.
• New York’s Breach Notification Law: New York recently amended its data breach notification law. Individuals and businesses are required to notify impacted individuals no later than 30 days after discovering the breach, unless there is a legitimate delay for law enforcement. While the amendment appears to require notice to NYDFS by any person or business suffering an incident, a chapter amendment proposed on Jan. 8, and pending the governor’s signature, clarifies that only NYDFS Covered Entities are required to notify NYDFS (and NYDFS has said non-covered entities do not need to notify it). Additionally, on March 25, 2025, the definition of “private information” is expanded to add medical information and health information.

Regulatory:  

• HHS Website Issues: As of the publication of this newsletter, various portions of the HHS OCR website, including pages relating to Civil Rights for individuals, are down or missing information.
• FDA and CISA Issues Guidance to Remove Patient Monitors from Hospital Networks: Both the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Food and Drug Administration (FDA) have issued guidance to remove certain lines of patient monitors produced by Epsimed and Contec from networks. This guidance is the result of the disclosure of three separate Common Vulnerabilities and Exposures, the highest which has a criticality score of 9.8 out of 10 and could lead to Remote Code Execution on the device. Remote Code Execution essentially allows a hacker to do whatever they want on the device.
• USCG Releases the Final Rule on Cybersecurity in Federal Register: On Jan. 17, the Coast Guard published its Final Rule with updated cybersecurity requirements for comment. The Final Rule will add minimum cybersecurity requirements applicable to US-flagged vessels, Outer Continental Shelf facilities, and facilities subject to Maritime Transportation Security Act of 2002 (MTSA). The Final Rule includes requirements to maintain a Cybersecurity Plan, designate a Cybersecurity Officer, and take various measures to maintain cybersecurity. The comment period is open and the Final Rule is set to take effect by July 16, 2025.
• President Trump Rescinds President Biden’s Executive Order on Artificial Intelligence: On Jan. 23, Present Trump issued an Executive Order, “Removing Barriers to American Leadership in Artificial Intelligence” that “revokes certain existing AI policies and directives that act as barriers to American AI innovation. . ..” The order revokes President Biden’s October 2023 Executive Order that provided guidance on safety and security standards for Artificial Intelligence (AI) development and use, addressed the impact of AI on civil rights, consumer and worker protections, and promoted innovation and international cooperation. Details of the new administration’s approach to AI will await a study and action under the new order.
• FTC Finalizes Amendments to COPPA: In January, the Federal Trade Commission (FTC) finalized amendments to the Children’s Online Privacy Protection Act (COPPA) Rule, enhancing protections for children’s online privacy. The updated rule mandates that companies obtain separate verifiable parental consent before disclosing personal information from children under 13, including for targeted advertising purposes. It also restricts the use of persistent identifiers and prohibits practices that encourage prolonged online engagement without parental consent. Additionally, the rule strengthens data security requirements by requiring written information security programs and ensures that educational technology providers use children’s information solely for educational purposes. These changes aim to limit companies’ ability to monetize children’s data and increase accountability for COPPA Safe Harbor programs.

Litigation & Enforcement:  

• Texas AG Sues Allstate For Covert Data Collection: The Texas Attorney General filed a suit against Allstate and its subsidiary Arity for allegedly violating the Texas Data Privacy and Security Act, the Texas Data Broker Law, and the Texas Insurance Code.  According to the Complaint, the defendants paid third-party app developers to integrate the defendants’ tracking software into their third-party apps.  Defendants’ software would then allegedly track and collect users’ driving and related data and the defendants collected that information in a database that tied the information to a specific consumer.  The complaint further alleges that the defendants used that database for their own underwriting and sold access to other insurers. The complaint seeks civil penalties, attorneys’ fees, and other relief. The Texas AG’s suit was followed by a class action filed in the Northern District of Illinois against Allstate for violations of the Federal Wiretap Act, the Stored Communications Act, the Computer Fraud and Abuse Act, the California Computer Data Access and Fraud Act, the California Wiretapping Act, among other acts and rights.
• Court Rules Plaintiff Lacks Standing In Pixel Case: The United States District Court for the District of Massachusetts ruled that a plaintiff suing over the use of “spy pixels” in marketing emails violated the Arizona Telephone, Utility and Communication Service Records Act lacked standing. The plaintiff brought a putative class action claiming that the defendant sent her and class members marketing emails containing “spy pixels” that collected and shared allegedly sensitive information including: “the email address, the subject of the email, when the email is opened and read, the recipient’s location, how long the recipient spends reading an email, whether it is forwarded, whether it is printed, and what kind of email server the recipient uses, among other sensitive information.” The court held that this information was not sufficiently private or sensitive to constitute a “concrete harm” as required for standing in federal court and dismissed the plaintiff’s claims.
• FBI and US DOJ Hack U.S. Computers to Remove Chinese Malware: A People’s Republic of China governmental hacking group, known as “Mustang Panda,” had installed a Remote Access Trojan (“RAT”) on thousands of computers in an effort to target governments, businesses and Chinese dissidents across the world. The FBI conducted a court-approved operation to access approximately 4,258 based U.S. based computer systems to remove the RAT in what the DOJ referred to as a “…’whole-of-society’ approach to protecting U.S. cybersecurity.”
• New York Attorney General Secures Settlement with Companies that Failed to Secure Home Security Video Cameras: New York Attorney General, Letitia James has entered into a settlement agreement with three companies who distribute eufy home security cameras for alleged failures to protect private videos. The Office of the Attorney General’s investigation found that the companies had not implemented sufficient cybersecurity controls to protect the video streams, including adequate encryption and authentication mechanisms. These failures would permit anyone with the link to a video to access it. The settlement agreement requires the companies to pay $450,000 and take steps to ensure stronger protections for consumer’s data.
• HHS OCR Reaches a Tenth Ransomware Enforcement Action: The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has reached another HIPAA settlement, with Northeast Surgical Group (NESG). This Settlement comes after a ransomware incident resulting in a breach that impacted over 15,000 patients representing the entire patient population that NESG served. OCR’s investigation found that NESG failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI. A fine was issued a Corrective Action Plan (CAP) was implemented. This Settlement marks a continued enforcement pattern by HHS OCR in response to ransomware incidents.
• California Bar Judge Recommends Disbarment of Attorney for Coverup and Attempted Hacking: On Jan. 28, a California bar judge recommended disbarment of an attorney for covering up a scandal involving a utility’s billing system and for attempting to hack a judge’s and attorney’s private messages. The judge found the attorney culpable on nine charges for acts of moral turpitude involving dishonesty and collusion; making misrepresentations in court filings; disobeying multiple court orders; and engaging in conflicts of interest.

International Updates:  

• European General Court Orders European Commission to Pay Damages to Individual: In a first, the European General Court has ordered the European Commission to pay damages of €400 to an individual after their data was unlawfully transferred to the U.S. without adequate protections. The General Court found that the “Sign in with Facebook” hyperlink displayed on the EU Commission’s Login webpage resulted in the individuals IP address being transferred to the Meta platform. The Commission had not demonstrated the existence of appropriate safeguards, in particular a standard data protection clause or contractual clause adopted in accordance with the conditions set out in Article 48 of Regulation (EU) 2018/1725, as the “Sign in with Facebook” link was governed solely by Facebook’s terms of service.

Industry Updates:  

• CISA and FBI Release Updated Guidance on Product Security Bad Practices: The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI), released updated guidance on “Product Security Bad Practices” as part of CISA’s Secure by Design initiative. This revision incorporates public feedback, identifies additional bad practices, provides context on memory-safe programming languages, clarifies timelines for patching Known Exploited Vulnerabilities (KEVs), and offers other recommendations. While the guidance is primarily aimed at software manufacturers supporting critical infrastructure, all developers are encouraged to avoid these bad practices to enhance product security.
• Ransomware Operators Are Using Microsoft Team to Masquerade as Help Desk Staff: Cybersecurity company Sophos reported that threat actors are exploiting Microsoft Teams to deliver ransomware through social engineering campaigns. These attacks often involve email bombing to overwhelm victims, followed by impersonation of IT personnel who initiate contact via Teams, instructing users to install remote assistance tools or using Teams’ built-in remote control features. Organizations can mitigate risks by restricting external communications in Teams, standardizing remote access tools, training employees to recognize social engineering, and implementing robust monitoring systems.
• 7-Zip Vulnerability Leads to Malware Attacks: 7-Zip, an open-source archiver tool, contained a vulnerability allowing malware to be double-encapsulated within an archive, bypassing Windows operating security system and leaving Windows users vulnerable to attacks. Most recently, threat actors leveraged the 7-Zip vulnerability to attack Ukrainian municipal organizations and businesses by sending emails designed to deceive the user into opening the malicious attachment and executing the malware. The vulnerability has now been identified and 7-Zip users are urged to update the software to its latest version.
• GrubHub Data Breach Impacts Undisclosed Number of Customers and Merchants: Web-based food delivery company, GrubHub recently experienced an attack that impacted the personal information of an undisclosed number of GrubHub’s customers, merchants, and drivers. A third-party service provider’s account was compromised, then used to siphon sensitive data. GrubHub identified the unusual activity on their systems and took steps to remove access from the third-party provider. Sensitive data thought to have been accessed includes: names, email addresses, partial payment card information, phone numbers, and hashed passwords. The identity of the threat actors responsible for the incident remains unknown.
• Stiiizy Data Breach Exposes Personal Information of 380,000 Customers: California-based cannabis brand Stiiizy is notifying 380,000 individuals of a data breach involving a vendor’s point-of-sale processing system. Discovered in late November 2024, the breach occurred between October 10 and November 10, exposing personal information linked to four retail locations in San Francisco, Alameda, and Modesto. Compromised data includes names, addresses, dates of birth, driver’s license numbers, medical cannabis cards, transaction histories, and more. Stiiizy attributes the breach to an organized cybercrime group. Ransomware is suspected  as the Everest ransomware group claimed responsibility, listing 422,075 records on their leak site. Some data was made public, with threats of further disclosures unless a ransom was paid.
• Scam Targets Google Ads Users Credentials: Cybersecurity professionals have alerted the public to a malvertising campaign that is targeting users of Google Ads. The scheme is suspected to have been active since mid-November of 2024 and aims to reuse the stolen credentials for further campaigns and to sell to other criminal actors. The scheme presents fraudulent Google Ads in response to searches for Google Ads on Google’s search engine. The fraudulent ads redirect users to fraudulent sites where their Google Ads credentials are harvested. The scheme exploits the fact that Google Ads does not require the final URL (for sites clicked on through Google Ads) to be the same as the display URL–so long as the domains match.
• Critical Flaws with SimpleHelp Allows for File Theft, Privilege Escalations and Remote Code Execution: Three flaws have recently been found with SimpleHelp’s remote access software. SimpleHelp software is used by IT professionals to conduct remote support. The flaws found with the software allow (i) unauthenticated threat actors to download files from the SimnpleHelp server, (ii) threat actors gaining administrative access to upload arbitrary files anywhere on host, and (iii) those accessing as a low level technician to escalate their privileges to admin credentials–allowing greater system access. Users of SimpleHelp should make sure that their systems are patched through releases made on January 8 and 13 by SimpleHelp.
• California Issues Guidance on AI Use: In January, California’s Attorney General issued two new Legal Advisories on AI. One advisory pertains to the use of AI generally, stating that AI must comply with California laws concerning unfair business practices, false advertising, discriminations, bias and abuse of data and summarizing new AI laws that became effective on January 1, 2025. The second advisory pertains to healthcare, noting that while AI can be useful in the healthcare space, companies must comply with California consumer protection laws, including the restrictions on the corporate practice of medicine. The Attorney General’s press release provides links to both advisories.

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.