15M T-Mobile Customers Exposed in Hack; Trump Hotels Hit With Data Breach; Privilege Covering Target Docs Challenged; HHS: OCR Should Strengthen HIPAA Oversight; 17.6M U.S. Victims of Identity Theft in 2014

15M T-Mobile Customers Exposed in Experian Breach

Experian has reportedly suffered a major data breach, potentially exposing anyone who applied for a regular T-Mobile USA postpaid plan between September 1, 2013 and September 16, 2015.  T-Mobile had used Experian to conduct credit checks on its customers.  Experian reports that hackers accessed a computer server and took data including T-Mobile customer names, addresses, Social Security numbers, birthdays and other highly sensitive information.  Experian has stated that this was an isolated incident, but 15 million T-Mobile customers are affected.  Experian is offering two years of free credit monitoring and identity protection to those customers.  However, the compromised customer data is reportedly already being made available for sale on the dark web.

Trump Hotels Hit With Data Breach

Hackers reportedly may have had access to credit card information in Trump Hotels’ payment system for nearly a year due to malware.  An advisory issued by Trump lists seven properties affected by the incident.  The hotel chain currently reports that while there may have been an opportunity to access customer data, its forensics investigation has yet to uncover that any data had definitely been compromised, but they are offering one year of complimentary fraud resolution and identity protection services to affected customers.

Privilege Covering Target Breach Docs Challenged

The class of banks suing Target over its 2013 data breach are urging a Minnesota judge to compel production of documents that Target claims are privileged.  The documents at issue are related to a data breach task force and a forensics investigation conducted by a Verizon team.  Target has pushed back stating that the materials were produced for the purpose of securing legal advice in coordination with counsel and are protected.

HHS:  OCR Should Strengthen Oversight of Compliance with HIPAA Privacy Standards

The U.S. Department of Health & Human Services (HHS) Office of Inspector General calls for the Office of Civil Rights (OCR) to strengthen its oversight of covered entities’ compliance with the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA).  This call comes as a result of a study conducted by the Office of Inspector General to assess OCR’s current oversight, which found it to be primarily reactive and that OCR had not fully implemented a required audit program to proactively assess noncompliance.  OCR concurred with the resulting recommendations that it (1) fully implement a permanent audit program; (2) maintain complete documentation of corrective action; (3) develop an efficient method in its case-tracking system to search for and track covered entities; (4) develop a policy requiring OCR staff to check whether covered entities have been previously investigated; and (5) continue to expand outreach and education efforts to covered entities.

17.6M U.S. Victims of Identify Theft in 2014

A report issued by the Bureau of Justice Statistics reports that an estimated 17.6 million persons, or about 7% of all U.S. residents age 16 or older were victims of one or more incidents of identity theft in 2014.  The majority of those victims experienced misuse of an existing account (credit cards or bank accounts being the most common).  The percentage of the population, types of misuse and the relative frequency of those types generally tracked a previous study conducted in 2012.  However, the number of elderly victims increased.  Among victims, about 79% experienced a single incident, while 21% experienced two or more.