California Bar Data Breach Exposes 260,000 Confidential Attorney Discipline Records; Headlines February Compromises

• According to the State Bar of California, 260,000 confidential attorney discipline records were exposed after a recent California Bar data breach. The information was briefly published on the website judyrecords.com.
• The Atlanta Journal-Constitution reports that voting software company EasyVote Solutions exposed an unknown number of Georgia voters’ registration information on the internet. The information may have been taken from an EasyVote online storage location.
• A ransomware attack on Logan Health Medical Center’s systems has impacted more than 213,000 Montana patients, nearly one in every four residents in the state.
• Anyone impacted by a data breach should follow the advice in the notification notice, change their password to a long and unique passphrase and keep an eye out for phishing attempts that claim to be from the breached organization.
• For more information about February’s key data events and other recent data breach news, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
• If you believe you are the victim of identity theft from a data compromise, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

Notable February Data Breaches

Of the 121 data compromises the Identity Theft Resource Center (ITRC) tracked in February, three stand out: the State Bar of California, EasyVote Solutions and Logan Health Medical Center. The State Bar of California suffered a recent data breach when a public website that aggregates nationwide court case records accessed and displayed case profile data. EasyVote suffered a data event when Georgia voters’ personal information was obtained from an online storage location. Logan Health Medical Center was hit with a ransomware attack, affecting approximately a quarter of Montana residents.

State Bar of California

The State Bar of California had 260,000 confidential attorney discipline records exposed after a recent California Bar data breach. According to the California Bar, the State Bar learned that a public website that aggregates nationwide court case records was displaying limited case profile data on about 260,000 nonpublic State Bar attorney discipline case records, along with around 60,000 public State Bar Court case records. 

The Los Angeles Times reports that all the confidential information from the California Bar data breach published on the website judyrecords.com has been removed. The records included case numbers, file dates, information about the types of cases and their statuses, and respondent and complaining witnesses’ names. Statistics provided by the site owner indicate that State Bar records and data were available on judyrecords.com from October 15, 2021, to February 26, 2022. 

The State Bar says in a release that they now believe there was no malicious “hack” of its system. Instead, an unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by judyrecords.com when they attempted to access the public records using a unique access method.

The State Bar is working with Tyler Technologies, the maker of the Odyssey system, to remediate the security vulnerability that led to the recent California Bar data breach, which they believe may not be unique to the State Bar’s implementation and could impact other users of Odyssey systems.

EasyVote Solutions

A recent data breach of voting software company EasyVote Solutions exposed Georgia voters’ registration information on the internet. According to The Atlanta Journal-Constitution (AJC), EasyVote provides software that streamlines voter check-ins during early voting in dozens of counties across Georgia, including Fulton, Oconee and Paulding counties. The software uses local voter registration to print out filled-in election applications for voters when they arrive at the polls instead of requiring voters to complete paperwork by hand.

The AJC says that information about Georgia voters was posted to an online forum. Information exposed includes names, addresses, races and dates of birth. However, the Chief Financial Officer for EasyVote says the breach did not involve Social Security numbers (SSN) or driver’s license numbers. While the number of people impacted is still unknown, EasyVote says the voter information could have been obtained from an online storage location. The storage location was disabled, and the data was transferred to a new environment with additional security controls. The voter software company is working with a cybersecurity firm to determine the extent of the information that may have been exposed.

Logan Health Medical Center

Nearly a quarter of Montana residents could feel the effects of a ransomware attack at one of the state’s largest medical centers. According to HIPPA Journal, identity criminals gained access to a file server with patient information. The security breach was detected in late November 2021. It was confirmed a month and a half later that specific files with sensitive personal health information were accessed. The Maine Attorney General indicates more than 213,000 Montana residents could have had their personal information compromised.

Information accessed in Logan Health Medical Center’s recent data breach includes names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, dates of service, treating physicians, medical bill account numbers, and health insurance information. HIPPA Journal says the information exposed varies from patient to patient.

While there is no evidence that the information has been misused, Logan Health Medical Center is offering free credit monitoring and identity theft protection services. The health center also implemented additional security measures to protect its systems.

What to Do if These Data Breaches Impact You

Anyone who receives a data breach notification should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/text) and to keep an eye out for phishing attempts that claim to be from the breached organization.  

Right now, the State Bar of California encourages anyone concerned about data exposed in the California Bar data breach appearing on the judyrecords.com website to contact the website and godaddy.com directly to request the removal of their files. However, as of February 26, all State Bar records appear to have been removed from the site.

notified

For more information on recent February data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Later in 2022, the ITRC will launch a free alert service for consumers where individuals can create a list of companies with which they do business. If an organization on the list is added to our notified data compromise database, a subscriber will receive an email alert.

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.