In August 2020, @SchizoDuckie and I published what was to become the first of a series of articles or posts called "No Need to Hack When It's Leaking."

In today's installment, I bring you "No Need to Hack When It's Leaking: Brandt Kettwick Defense Edition." It chronicles efforts by @JayeLTee, @masek, and I to alert a Minnesota law firm to lock down their exposed files, some of which were quite sensitive.

Read the post and see how even the state's Bureau of Criminal Apprehension had trouble getting this law firm to respond appropriately.

https://databreaches.net/2025/07/04/no-need-to-hack-when-its-leaking-brandt-kettwick-defense-edition/

Great thanks to the Minnesota Bureau of Criminal Apprehension for their help on this one, and to @TonyYarusso and @bkoehn for their efforts.

The Information and Privacy Commissioner of Ontario has completed a review into Daixin Team's massive cyberattack on five regional hospitals in 2023 and found hospital officials acted “adequately.”

Perhaps the most notable aspect of the report (from my perspective) was that the IPC said the hospitals were obligated to notify patients whose data had been encrypted (and not just those whose data had been exfiltrated). They saw no point in requiring that now, but wanted it noted that it should have happened.

So that seems to be making PHIPA's interpretation clearer for future victims of encryption incidents.

The full report makes an interesting read.

PHIPA Decision 284:
https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/521986/index.do

Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

https://databreaches.net/2025/05/30/bradford-health-systems-detected-abnormal-network-activity-in-december-2023-they-first-sent-out-breach-notices-this-week/

"If you focus too narrowly on preventing the specific details of the last incident, you’ll fail to identify the more general patterns that will enable your future incidents."

Great blog post from @norootcause

https://surfingcomplexity.blog/2025/05/26/the-same-incident-never-happens-twice-but-the-patterns-recur-over-and-over/

B.C. health authority faces class-action lawsuit over 2009 data breach

https://databreaches.net/2025/05/24/b-c-health-authority-faces-class-action-lawsuit-over-2009-data-breach/

Let's see... they didn't prevent breaches, they didn't detect breaches on their own, and they didn't notify 20,000 employees timely or provide any mitigation services timely or at all.

But can plaintiffs prevail?

#databreach #infosec #cybersecurity #incidentmanagement #litigation

@privacylawyer

Mastering #TelemetryPipelines ensures high #ApplicationPerformance, cost efficiency, and security compliance. Implement best practices and stay ahead in #Observability & #Monitoring. #CloudComputing #DevOps #AI #Cybersecurity #ITGovernance #DigitalTransformation #DataAnalytics #Logging #IncidentManagement
https://medium.com/@sanjay.mohindroo66/how-to-use-telemetry-pipelines-to-maintain-application-performance-9d0972585d81

I am very happy because my DevEx team at work is becoming a lot more official and getting a lot of attention. Which means we may be able to officially make it a real team and the three of us can be 100% on it. So we're creating a new wiki space and top-level jira project and all that.

But sad, too, because I am moving resilience and incident documentation out of SRE and into our space. Because I am more concerned about seeing the work get done than I am about what team should own it.

So I'm satisfied that incident program management fell into DevEx. There are also no other SREs but me (out of like 12) that like dealing with incident management anyway.

My boss said that after what I did with the retro, he is completely comfortable having me oversee the improvement of our incident management.

Seems like I am becoming adept at fixing fucked on-call rotations!

Lexington School District Four in SC reported that 15,894 residents were affected by the PowerSchool breach. The state reached out to districts on Jan. 8 to tell them what was known at that time.

The district filed this with the state today: https://www.consumer.sc.gov/sites/consumer/files/Documents/Security%20Breach%20Notices/2025/LexingtonSchoolDistrictFour.pdf

It appears to be a copy of what they have sent out to residents as a preliminary notification.

If memory serves, PowerSchool had told districts they would be giving them something for communications by the evening of the 8th. Did they ever do that? Or are the four bullets in the district's notification what #PowerSchool gave districts to use?

@douglevin @brett @funnymonkey

From the Better-Late-Than-Never Department:

"Washington County is preparing to implement a new policy on how to respond to future cybersecurity attacks after a ransomware strike crippled the county government for more than two weeks earlier this year.

County solicitor Gary Sweat is asking the commissioners to consider approving a “business continuity and disaster contingency” plan that would have a protocol for county workers and its IT department to follow in the event of another cyber emergency."

As a reminder, they paid $350k ransom to ransomware gang to get decryptor key.

https://www.observer-reporter.com/news/local-news/2024/dec/18/washington-county-considering-ransomware-policy-after-january-cyberattack/

OK, a huge thumbs up to Byte Federal for their breach notification letter. They frankly admit where they screwed up and what happened. I wish more notifications were as clear and straightforward as this one.

https://databreaches.net/2024/12/17/a-positive-example-of-forthright-breach-disclosure/

"Italy, exposed database puts dental clinic patients’ data at risk: "
https://www.suspectfile.com/italy-exposed-database-puts-dental-clinic-patients-data-at-risk/

@amvinfe followed up on some findings by @chum1ng0 and they tried to get two entities to lock down exposed data that includes personal information.

Despite repeated notifications, the data are still not locked down, it seems.

Change Healthcare submitted a breach notification to #HHS on July 19. They report the number of patients affected as "500" (a marker for "We have no friggin' idea how many and we'll get back to you at some date before the end of civilization maybe.").

They didn't comply with the "no later than 60 calendar days" requirement and I'm not sure what good a "500" report does anyone.

Northeast Rehabilitation Hospital Network's "incident" was a #ransomware attack with data leaked, but they haven't said that.

And this wasn't their first cyberattack in recent years.

https://databreaches.net/2024/07/29/northeast-rehabilitation-hospital-networks-incident-was-a-ransomware-attack-with-data-leaked-but-they-havent-said-that/

#databreach #transparency #IncidentManagement #HealthSec #HIPAA

@brett @amvinfe

Almost 3 months afterDataBreaches[.]net reported on the #BlackSuit attack on #Post&Courier, the paper posted a notice on its site. The notice doesn't mention that all the data was leaked on the dark web months ago or that the paper had negotiated to try to get the data deleted.

My coverage in April: https://databreaches.net/2024/04/17/the-post-and-courier-hacked-black-suit-claims-to-have-500-gb-of-data/

Post & Courier's notice in July: https://www.postandcourier.com/site/evening-post-publishing-provides-notice-of-data-event.html

FITSNews blasted P&C for its lack of timely #notification and #transparency: https://www.fitsnews.com/2024/07/23/the-post-and-courier-got-hacked/

#databreach #cybersecurity #journalism #incidentmanagement

@brett

I was just reading a follow-up on the Philippine Health Insurance (PhilHealth) breach by #Medusa in 2023, and I read something that struck me as unusual:

The govt didn't pay the TA's demands but what they did do was set up a portal where citizens could check to determine if Medusa had leaked their personal identification number.

I can't recall any govt or private sector entity ever creating a portal like that before. Can you? I mean, telling people to check HaveIBeenPwnd is one thing, but to create a portal on a .gov domain to check what TAs leaked?

Portal: https://philhealthleak.privacy.gov.ph/

@campuscodi @zackwhittaker @brett @troyhunt

And then there were three -- 3 attacks in June 2023 where patients are first being notified now and where we do not know who was responsible for the attacks, at least two of which were ransomware attacks.

SouthCoast Medical Group and Privia Medical Group notify patients of June 2023 cyberattack

https://databreaches.net/2024/07/06/southcoast-medical-group-and-privia-medical-group-notify-patients-of-june-2023-cyberattack/

#HealthSec #HIPAA #HITECH #cybersecurity #ransomware #IncidentManagement

@brett @allan @amvinfe @campuscodi

Part 2 of 2:

SysInformation Healthcare Services, LLC, d/b/a EqualizeRCM also was the victim of a ransomware attack in June 2023, and we still don't know how many were affected.

Nor do I know which TA group is responsible for this one. Anyone know?

https://databreaches.net/2024/07/02/how-many-clients-and-patients-were-affected-by-a-ransomware-attack-on-equalizercm-we-have-no-idea/

Part 1 of 2:

Florida Community Health Centers to notify almost 300,000 of ransomware attack that occurred in June 2023.

https://databreaches.net/2024/07/03/florida-community-health-centers-to-notify-almost-300000-of-ransomware-attack/

I don't know of any TA group that claimed responsibility for this one. Anyone know?

Daixin Team claims to have breached the Dubai Municipality:

https://databreaches.net/2024/06/05/daixin-team-claims-to-have-breached-the-dubai-municipality/

If you've been following the #UniSuper #GCP #outage, the Incident report is out, and it's a good read - transparent, detailed, clearly outlines scope, actions, impact.

As someone who used to do this stuff for a living, I'm impressed.

https://cloud.google.com/blog/products/infrastructure/details-of-google-cloud-gcve-incident