|
|
Why Are You Getting This?
You signed up to receive The Privacy Professor® Tips, or initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs® (PSB) and consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.
NOTE! A final one on this topic since things are now almost synced up. For those of you who requested or agreed to receive the Tips over the past 12 months: We recently learned that you did NOT receive any of our Tips during the past 12 months due to an omission in our distribution list settings! So those of you just now receiving the Tips after not receiving them over the months, this is why. We apologize for any confusion this caused.
| | Beware of The Privacy and Security Grinches of December! | | |
Beware of the personal data and privacy grinches of the holiday season! Holiday grinches can strike using many methods, such as cyberattacks, physical theft, and person-to-person deception. These crooks are using all the old ways to commit their crimes while adding new methods, including those utilizing AI. The scams holiday grinches use go much further beyond just “bad websites” pretending to be legitimate. Holiday crooks increasingly leverage social media, AI-generated content, and modern payment methods, such as popular apps. Being tech-savvy and aware of current cyber crook scams will help you to spot the early signs of such criminal attempts and help you (and your family and friends) to keep the holiday scammers from ruining your festivities. Read on to strengthen your mental armor against security and privacy scams.
Our featured question this month is about a hospital posting over the protected health information (PHI) of 150 patients on social media for marketing purposes. We’ve also included answers (that we wrote using our own expertise and experience, not using AI) to some great reader questions covering three additional healthcare data and HIPAA topics, in addition to a question about IoT security and privacy, and one with concerns about Metaverse privacy and security.
Please read to the end where we provide some information about our recent activities and online courses.
Since 2005, we have been freely distributing the Privacy Professor Tips monthly publication to help both businesses and individuals, of all ages, identify risks throughout their daily lives, within their own businesses, and to help them know how to prevent security incidents, privacy breaches, and to keep from being a victim of scams.
By sharing this Tips issue with others in your organization, you are also supporting a wide range of regulatory and other legal compliance requirements to sending such awareness communications. Thank you for reading and sharing!
| | |
We would love to hear from you!
Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.
| | AI image of a holiday phone scammer using his script on a targeted victim. Created by Rebecca Herold using Gemini Nano Banana Pro. | | |
December Tips of the Month
- News You May Have Missed
- Privacy & Security Questions and Tips
- Where to Find the Privacy Professor
| | |
“Hey, did you see that shocking news!?” A reader recently alerted us to some surprising security and privacy news. We love getting these notices! We are finding more unique news stories to share with you than ever before, along with news items that we believe are important for most folks to know, but that often do not get much mention in traditional news, or even in security and privacy news outlets.
Here are just a few of the 100+ news stories we discovered throughout the past month that provide a wide range of interesting security and privacy related news. These news items demonstrate that such types of risks exist basically anywhere in the world, and that everyone needs awareness.
This month we list 40 news items. We are grouping them into four broad categories: The first is for this month’s topic of “Specific to Grinches and Other Scammers During the Holidays,” followed by “Of Broad Interest,” “Privacy in Businesses, Governments, and Other Organizations,” and “Laws, Legal Issues, and Lawsuits About or Significantly Involving Privacy and/or Security Issues.” Many readers will find all the items of interest, but for those of you who prefer one or two specific categories, this will help you find your news items of interest more quickly. Within each category the items are in no particular order. By popular request are also now including “INSIGHTS” with many of the news items to provide some advice or additional insights. Thanks to those many readers who sent your positive feedback; we appreciate it!
Do you have interesting, unusual, bizarre or odd stories involving security and privacy? Some of the most surprising items are in local news! Or questions about any of the notes we included for the stories we listed this month? Let us know!
| | Image created by Rebecca Herold on Leonardo AI. NOTE: It never got the spelling correct in multiple generated images. | | Specific to Grinches and Other Scammers During the Holidays | | |
The holiday season brings with it the scamming season. Here are 10 representative news reports.
1. Zelle Scam Alert: How a Fake Call Could Drain Your Bank Account. “It often begins with a phone call from what looks like your bank. The number may appear to be from Chase, Bank of America, or another familiar institution.” “In one reported case, a victim was told to type $2,100 into the Zelle payment field, along with a 19-character code. The scammer said this would stop unauthorized activity. It was really a transfer to the thief’s account. Had the victim followed through, that money would have vanished in seconds. Zelle transactions are instant and typically irreversible.” INSIGHTS: Many free tools exist that allow scammers to spoof phone numbers to make them look real. Just because you see a call from your area code, or even matching the one from your bank, don’t believe it without first doing some checking! Tell such callers you will call them back using their published phone number. If they’re legit, they should agree.
| | |
2. Scammers target holiday shoppers with fake Geek Squad emails, data breaches in Maryland. “As people shop online, they might see a pop-up appear on their computer warning of a data breach. Or they may get an email like one claiming it's from the Best Buy Geek Squad, circulating widely now, saying they have a bill due and giving a number to call. Sergeant John Quarless of the PGPD Financial Crimes Unit advised the public to be careful now more than ever. He also said the emails are aimed at getting people to pick up the phone with a scammer. “We’re seeing an increase in people calling for a warrant scam, saying pay this, or you have a warrant," said Sgt. Quarless. "We’re just asking people to slow down, take a deep breath, and don’t fall for it.”
3. Hackers are hoping to take advantage of the holiday season, and they're not just stealing money or data. (Audio) “We have been noticing a massive uptick in certain areas.” Scams are increasing in edge devices like home routers. Hackers are highjacking people’s routers to launch attacks on other from those highjacked routers.
4. The Administrative Office of the Courts (AOC) and the Kentucky Retail Federation (KRF) are teaming up to warn shoppers about gift card and other scams. These scams frequently involve false claims that an arrest warrant can be cleared with prepaid cards.
5. When shopping online during the holiday season—or any time of year—always be wary of deals that seem too good to be true. Don't become a scammer’s next victim. According to the Internet Crime Complaint Center’s (IC3) 2024 report, non-payment and non-delivery scams cost people more than $785 million that year. Credit card fraud accounted for another $199 million in losses. INSIGHTS: There are many good tips in this article; a good article to read, share and discuss with family and friends.
6. FBI Reports $262M in Account Take Over (ATO) Fraud as Researchers Cite Growing AI Phishing and Holiday Scams. The development comes as Darktrace, Flashpoint, Forcepoint, Fortinet, and Zimperium have highlighted the major cybersecurity threats ahead of the holiday season, including Black Friday scams, QR code fraud, gift card draining, and high-volume phishing campaigns that mimic popular brands like Amazon and Temu.
7. Text scammers make tens of thousands a month - and spend it on designer shoes and bags. “Fraudsters send fake text messages - apparently from a bank or other trusted company - to trick people into disclosing personal information such as passwords and Pin numbers. The intention is to defraud them out of their money.” A police officer reported, "We have got somewhere between 8,500 and 10,000 items of evidence in this one room."
8. 'How I lost £80K to fake Jason Momoa Facebook scammers.' Jane, whose name has been changed to protect her identity, was contacted on social media by an account claiming to be that of a true Hollywood A-lister, Jason Momoa. "We just got to talking on Facebook," she recalled. "He asked me if I'd seen his films and I said 'yes', then he asked me to move on to WhatsApp as it's encrypted and it's safer as he's a celebrity. Soon Jane was talking to people pretending to be Jason Momoa's agent, lawyer, bank representatives and even his daughter. "They manipulated me," she said. "I've lost an awful lot of money - around £80,000 [from an inheritance].
9. Hackers steal maternity ward CCTV videos in India cybercrime racket. “Police in Gujarat state were alerted by the media to videos on YouTube - some showed pregnant women undergoing medical exams and receiving injections in their buttocks - in a maternity hospital in a city.” “Police say their investigation uncovered a massive cybercrime racket where sensitive footage from at least 50,000 CCTVs from across the country was stolen by hackers and sold on the internet.”
10. Chinese 'cryptoqueen' fraud jailed in UK over $9b Bitcoin laundering scheme. Zhiman Qian has been jailed for 11 years. British authorities say Qian was the mastermind behind a Ponzi scheme into which around 128,000 victims in China invested billions of dollars. I
| | 11. Chinese-made buses in Norway can be halted remotely, spurring increased security. UK transport and cyber-security chiefs investigate Chinese-made buses. Move to gauge risk of remote meddling by Beijing with systems on Yutong buses used in England follows study in Norway. INSIGHTS: Wireless updates to digital car components are common for all types of cars made in the UK, US, China, and the EU. However, when the manufacturer does not build strong security and privacy protections for those transmissions, they can be intercepted, and also used as a pathway into the car controls themselves. Ask your auto dealer about the security of the digital components before buying; most software does not have strong security and privacy built in. | | |
12. 44 girls were at a high school in Iowa when generative artificial intelligence (GAI) was used to create nude deepfake images of them from photos they posted on social media. Four of their male classmates were recently charged as juveniles. The girls learned about it when an official from Cascade High School in Cascade, Iowa notified their parents along with a warning not to talk about it. The girls said when they returned to school the next day, no one checked on their wellbeing or offered them counseling. In 2023, NCMEC received 4,700 reports, then 67,000 in 2024, including from parents of the Iowa students. But in just the first six months of this year (2025), that number has soared to 440,000 reports, including deepfakes.
13. Despite Chinese hacks, Trump’s FCC votes to scrap cybersecurity rules for phone and internet companies. “The Federal Communications Commission voted 2-1 along party lines on Thursday to scrap rules that required U.S. phone and internet giants to meet certain minimum cybersecurity requirements.” The ranking member of the Senate Homeland Security Committee said he was “disturbed” by the FCC’s effort to roll back “basic cybersecurity safeguards” and warned that doing so will “leave the American people exposed.”
| | |
14. DoorDash disclosed a data breach that exposed the personal information of an unspecified number of users, which included names, email addresses, phone numbers, and physical addresses. Despite the fact that hackers stole phone numbers and physical addresses, DoorDash claimed that “no sensitive information was accessed by the unauthorized third party and we have no indication the data has been misused for fraud or identity theft at this time.” DoorDash said in the post that the breach affected a mix of customers, delivery workers, and merchants.
15. Users of Elon Musk’s X are getting stuck in endless loops and, in some cases, getting locked out of their X account, following a mandatory two-factor security change that seems to have gone wrong. “X said this was part of an effort to retire the older twitter.com domain, which currently redirects to x.com. That change took effect in May 2024. The problem is that passkeys and security keys are digitally tied to the old twitter.com domain and can’t be transferred to x.com. That means users have to manually un-enroll and re-enroll using the new x.com domain.” INSIGHTS: This is an example of poor change controls and what looks to be a lack of thorough testing when changes are made to application code.
16. Towns and cities across the US are without access to their CodeRED emergency alert system following a cyberattack on vendor Crisis24. “Various municipalities have issued near-identical advisories about the attack on the OnSolve CodeRED platform, now owned by Crisis24, which enables residents to receive real-time alerts for emergencies such as weather warnings, missing children, terror threats, and more.”
17. A nationwide license plate recognition system tasked with reducing crime is being ousted from communities across the country, forcing local officials to reckon with mounting fears of federal surveillance during President Donald Trump’s second term. Public safety company Flock Safety has billed its surveillance systems as a program to root out criminal activity on local streets, with its cameras already installed in more than 6,000 municipalities nationally. But as Trump’s deportation campaign brought an increased, forceful presence of federal agents to states across the country, some local officials in predominantly liberal cities and towns now argue the cameras themselves pose the bigger danger for their cities, offering federal law enforcement a back door for tracking residents’ movements.
| | |
18. State-by-State Breakdown of Cybercrime in America. Fraud and identity theft complaints up 45%, while cybercrime is up almost 70%. The reality is that our analysis, while comprehensive, is just the tip of the iceberg. Many victims of phishing scams, ID theft, and other cybercrimes never report these incidents due to embarrassment or the perceived hassle of filing reports. The FBI estimates that only about 15 percent of cybercrime gets reported to authorities.
19. Google is suing 25 people it alleges are behind a “relentless” scam text operation that uses a phishing-as-a-service platform called Lighthouse. Over the last few years, Chinese cybercriminals have sent millions of scam text messages, often impersonating the USPS or toll-road collection firms, and allegedly made more than a billion dollars from their brazen schemes. The groups of SMS scammers are a prolific, annoying, and a menace to millions of people.
20. Disrupting the first reported AI-orchestrated cyber espionage campaign. “The attackers used AI’s “agentic” capabilities to an unprecedented degree—using AI not just as an advisor, but to execute the cyberattacks themselves. The threat actor—whom we assess with high confidence was a Chinese state-sponsored group—manipulated our Claude Code tool into attempting infiltration into roughly thirty global targets and succeeded in a small number of cases. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention.”
| | Privacy In Businesses, Governments, and Other Organizations… | |
22. Thousands of legal LinkedIn profiles saddled with Bangladeshi Dewey & LeBoeuf. A Bangladeshi law firm operating under the name of Dewey & LeBoeuf is using the US outfit’s former website domain and LinkedIn page, meaning thousands of ex-Dewey staff are listed on the social media site as having worked at this apparently new iteration of the defunct firm. INSIGHTS: A good example of how work histories could be modified. Have you checked yours lately?
23. Bug in jury systems used by several US states exposed sensitive personal data. “Several public websites designed to allow courts across the United States and Canada to manage the personal information of potential jurors had a simple security flaw that easily exposed their sensitive data, including names and home addresses.” “The bug meant it was possible for anyone to obtain the information about jurors who are selected for service. To log into these platforms, a juror is provided a unique numerical identifier assigned to them, which could be brute-forced since the number was sequentially incremental. The platform also did not have any mechanism to prevent anyone from flooding the login pages with a large number of guesses, a feature known as “rate-limiting.””
24. Cryptographers cancel election results after losing decryption key. Voting system required three keys. One of them has been “irretrievably lost.” “The International Association of Cryptologic Research (IACR) said Friday that the votes were submitted and tallied using Helios, an open source voting system that uses peer-reviewed cryptography to cast and count votes in a verifiable, confidential, and privacy-preserving way. Helios encrypts each vote in a way that assures each ballot is secret.” “Three members of the election committee act as independent trustees. To prevent two of them from colluding to cook the results, each trustee holds a third of the cryptographic key material needed to decrypt results.” One of the three trustees irretrievably lost their privacy key. INSIGHTS: This points out the importance of having some type of backup plan in case the primary method becomes unusable. A security services organization should have had a backup plan for this.
25. Rogue employees of a Chicago company that specializes in negotiating ransoms to mitigate cyber-attacks were carrying out their own piracy in a plot to extort millions of dollars from a series of companies, prosecutors say. INSIGHTS: This is a good example of an insider threat that was exploited.
26. Five people have pleaded guilty to helping North Koreans defraud U.S. companies by posing as remote IT workers. Facilitators in the United States and Ukraine assisted North Korean actors with obtaining remote IT employment with U.S. companies. “The facilitators’ provided their own, false, or stolen identities, and hosted U.S. victim company-provided laptops at residences across the United States to create the false appearance that the IT workers were working domestically. In total, these defendants’ fraudulent employment schemes impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons.” INSIGHTS: This is an example of identity theft, as well as an exploited insider threat.
27. US police involved in fatal incidents use victims’ privacy law to hide their identity. In dozens of cases officers have used Marsy’s Law, which gives victims of crime anonymity, to shield their names.
| |
28. Multiple London councils 'hit by cyber-attacks'. The Royal Borough of Kensington & Chelsea (RBKC) said that it and Westminster City Council were "responding to a cyber incident affecting some shared IT systems" and that some systems, including phone lines, were disrupted. RBKC said two councils were working with cyber specialists and the National Cyber Security Centre to protect data and restore services and apologized for disruption. The Met Police is investigating.
29. Architecture & Engineering: Building Resilience by Design (CAF Video Podcast). Dan Swanson and Brice Ominski discuss how your enterprise can stay resilient and secure amid accelerating innovation and changing business models.
30. Phone Call Recording Laws: What You Need to Know. When it comes to recording phone calls, consent laws vary from state to state. In most of the U.S., only one person in the conversation needs to know the call is being recorded. However, several states require the person recording to get permission from everyone involved first. Failure to follow these rules can expose you to serious legal risks, especially if the recording involves parties in multiple states. That’s why it’s important to know which type of consent law applies before pressing “record.”
| | Laws, Legal Issues, and Lawsuits About Or Significantly Involving Privacy and/or Security Issues… | | |
32. A district court denied Change Healthcare’s motion to dismiss claims for alleged consumer protection and data privacy violations, allowing the state’s lawsuit against Change Healthcare, UnitedHealth Group, and Optum to move forward. Judge Susan Strong of the Lancaster County District Court rejected defendants’ arguments and found that the state sufficiently alleged all violations of Nebraska’s consumer protection and data privacy laws. The Court also underscored the magnitude of the breach, noting that the cyberattack exposed the sensitive personal and medical information of nearly 900,000 Nebraskans.
33. $6.5M settlement reached in Omni Health data breach suit. Patients and employees of Omni Family Health clinics in Fresno, Tulare County may claim compensation after a 2024 cyberattack exposed sensitive personal information. Under the agreement, about $2.2 million will be allocated for attorneys’ fees and costs, $30,000 for class representative awards and the remaining funds will compensate class members. INSIGHTS: This is a good example of how penalties and fines can go far beyond regulatory agreements. Lawsuits are becoming much more common. With regard to healthcare, these are on top of HIPAA non-compliance fines and penalties from not only the Department of Health and Human Services, but also all the additional penalties from the 54 US State and Territory Attorneys General.
34. First Choice Dental, a large dental practice with multiple locations across Wisconsin, was targeted by hackers in October 2023. The hackers gained access to sensitive information including over 150,000 patient names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, financial account numbers, and health information. First Choice Dental has agreed to settle the lawsuit for a total settlement cost that is capped at $1,225,000. The settlement covers identify theft monitoring and protection for affected individuals, as well as reimbursement of out-of-pocket expenses the victims may have incurred as a result of the data breach.
| | |
35. A class action lawsuit accuses the University of Pennsylvania of being negligent, failing to protect the personally identifiable information (PII) of students and faculty exposed in a recent data breach that became public through a Halloween email blast sent by a purported hacker claiming to have accessed UPenn’s data. The class action lawsuit alleges that the University of Pennsylvania has failed to implement adequate data security measures, despite collecting and storing sensitive personal information from students and faculty.
36. A class action lawsuit claims WestJet failed to properly secure and safeguard the personally identifying information (PII) of more than 1.2 million customers during a data breach earlier this year. The WestJet data breach occurred on or about June 13, when cybercriminals infiltrated WestJet’s network servers and accessed highly sensitive personally identifying information.
37. A class action lawsuit accuses Hyundai Auto Ever America of failing to properly secure and safeguard the personal identifying information (PII) of 2.7 million individuals that was compromised in a data breach. Plaintiff Gretchen Benedettini claims Hyundai Auto Ever America was aware of the data breach in March but did not notify impacted individuals until the end of October.
38. A class action lawsuit has been filed against Blue Cross Blue Shield of Montana (BCBSMT) over the insurer’s alleged “failure to protect sensitive personal information” of customers during a data breach. “The lawsuit claims that the BCBSMT was negligent by failing to protect members’ sensitive personal and medical data, exposing them to identity theft or fraud. Furthermore, the plaintiffs claim that BCBSMT has yet to notify members about the breach and potential impacts of the compromised data. The plaintiffs in this case are accusing the insurer of negligence, invasion of privacy, breach of implied contract, violation of the Montana Consumer Protection Act and unjust enrichment, according to the case filing.”
39. AT&T has reached a combined $177 million settlement over two data breaches. “Impacted consumers have a little over a month left to file a claim for their chunk of the money. Eligible consumers have until Dec. 18 [2025] to file for a settlement payment-which will still need a judge's final stamp of approval early next year.”
40. After a March 2025 cybersecurity breach that allowed an unauthorized third party to access patients’ information, the Yale New Haven Health System has agreed to finance a $18 million settlement fund. “The health system will establish a settlement fund to cover legal fees and administrative costs for individuals who were affected by the breach. According to the settlement, which was filed on Sept. 10, impacted patients may seek reimbursement of up to $5,000 for documented losses resulting from the breach or opt for a cash payment of approximately $100.”
| | Check out our Privacy & Security Brainiacs blog page for more unique security and privacy news items. Have you run across any surprising, odd, offbeat or bizarre security and/or privacy news? Please let us know! We may include it in an upcoming issue. | | |
Privacy & Security Questions and Tips
Rebecca answers hot-topic questions from Tips readers
December 2025
| | |
We continue to receive a wide variety of questions about security and privacy. Questions about current hot topics in society, and increasingly more about healthcare privacy and security. Thank you for sending them in! This month in addition to our Question of the Month about putting privacy protections within wills, we’ve included five additional questions about privacy protections after death under HIPAA, impacts of quantum computing on password security, and security tools every IT provider and Managed Services Provider (MSP) needs.
Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!
| | Q1: One of your October LinkedIn posts said a person (healthcare provider) was about to post PHI without authorization and you got them to stop. How was the person not aware they needed an authorization? Was it difficult to convince them not to post? Why didn't that person just get the authorizations to begin with? | | |
A1:
I just happened to see a post, made on a very popular social media site, that was an announcement for a new upcoming series of success stories from a healthcare provider offering specialty healthcare services. The details it contained about what would be described in the success stories included what seemed to be highly sensitive and privacy-invasive information for patients to be agreeing to post online.
The associated provider’s social media profile included a phone number, so I gave them a call and asked if they had gotten HIPAA compliant consents from all those patients to put such sensitive information online. Long story short, the person was from a contracted marketing business, and they were not told about such a need for HIPAA consents. They brought the marketing person from the healthcare provider into the conversation, and he said he didn’t know there was such a requirement, and then looped in the provider’s Privacy Officer. That is when I identified for them the needs for all areas of the organization to understand HIPAA requirements, because they had only provided training and required policies/procedures awareness, etc. of the direct care givers.
After we spoke with the Privacy Officer, who was quite shocked to find out about Marketing’s plan to post such information, they quickly put a stop to the plan.
Ultimately, the lack of HIPAA training, awareness communications, knowledge of policies and procedures, and guidance about HIPAA training from the compliance office created a HIPAA knowledge desert in the Marketing and Sales areas. Actually, all involved were very thankful I called them. Especially when I notified them about the Cadia settlement and associated resolution amount fine and 2-year CAP.
| | |
(Somewhat) Quick Hits:
Here are five more questions, most of which we are answering at a comparatively high level. We provide more in-depth information and associated details about these topics in separate blog posts, videos on our YouTube channel, in infographics and e-books, LinkedIn posts to our business page, and within our online training and awareness courses.
| | |
Q2: Do you have any overall advice to give to healthcare providers about how to share their patient success stories on social media in a way that does not violate HIPAA?
A2:
In my experience, I’ve seen marketing, sales and PR areas want to include as many personal details as possible about the highlighted individuals for their initiatives; most of that will be PHI when it is about patients.
Some HIPAA-friendly options include:
- CEs can describe collective statistics and summaries about patient successes that do not include any explicit information that can be linked to specific individuals. And…
-
CEs should make it a policy, and have supporting procedures, to obtain explicitly documented consent from patients and insureds to post such types of information to social media sites. The Privacy Officer, or whomever is responsible for HIPAA compliance, should provide a consent form to consistently use throughout the enterprise for all such situations. They also need to make sure that they allow the individuals involved who provided consent, to then later revoke that consent. This will require the CEs to incorporate such actions into their policies and procedures, and a form for the patient or insured to sign revoking their previous authorization.
| | Q3: How is the Internet of Things (IoT) transforming how security systems are deployed? | | |
A3:
IoT technologies offer transformative benefits such as enhanced monitoring, predictive maintenance, and integrated emergency responses for automatically detecting intrusions, activating lighting, recording incidents, and alerting security personnel and law enforcement with real-time video overlaid on floor plans, etc.
However, to fully realize the benefits of these advantages, significant IT security and privacy risks must be addressed. E.g., most IoT video security systems have lacked proper security and privacy protections over the past 35 years since they’ve been used. I’ve filled a book with such incidents. Even when IoT products include security and/or privacy features and capabilities, the manufacturers often fail to provide users with adequate instructions or training to use them effectively. The challenge for manufacturers and users alike is to harness the full potential of IoT safety systems products while providing and using strong privacy protections and cybersecurity measures to reduce the increasing risks introduced by these smart, interconnected technologies.
| | |
Q4: Everyone in my family, and increasingly more at by workplace, are using the Metaverse. I’m skeptical; it seems like a privacy breach powder keg! Everyone tells me I’m a worry wart. Are there any privacy or security challenges in the Metaverse?
A4:
There are huge privacy and data security challenges in the Metaverse due to how immersive, persistent, and data-intensive this technology has been engineered. Users are so engrossed in their experiences that they do not comprehend the significant amount of data, about unlimited aspects of their being, that are collected. That diverse data collection, such as their physiological responses to social interactions within these digital ecosystems, is unknown to Metaverse users. They don’t realize that data is being added to their digital profiles and identities. The depth of these intimate digital introspections is not being described to users; they can’t consent to the vast ways in which such data will be used by unknown third parties, who are also sharing that data with others who make decisions with it. That data is not considered as personal data by most regulations, creating huge gaps in privacy protections. And it’s just the tip of the Metaverse privacy iceberg.
| | |
Q5: What makes health data so valuable to criminals and hackers?
A5:
Great question! We’re happy you’re thinking about this. Here are five key reasons for you to consider why health data is so much more valuable to not only criminals and hackers, but also a wide range of many other entities and people.
1. Permanence and comprehensiveness. Unlike credit card numbers, debit card numbers, and other types of ID numbers that can be quickly canceled and replaced, medical history, genetic information, and diagnoses are permanent aspects about a person’s body; they represent who each patient is, and a very personal part of their history that will never change. A complete medical record generally contains a Social Security number (SSN, in the USA), insurance details, financial information, family history, and a wide range of intimate health details. They often also include notes taken by a wide range of doctors, nurses, specialists, etc. All these types of information create a comprehensive identity profile about the patient. Often details that the patients’ family and friends don’t even know. The medical records are typically bundled with traditional types of identifiers (name, address, date of birth, contact info, etc.) with clinical history in a single type of life dossier. Cyber crooks can then reuse this data within many different types of fraud schemes and crimes, and also sell portions from those dossiers to many other crooks for them to also use for fraud and other crimes. Most of that information is hard, and usually impossible, for the patient victims to change in the same way that they can change card numbers.
2. High criminal market value. Many different research studies show that medical records sell for anywhere from 10-50 times more than credit card numbers on the dark web. This is because they enable multiple types of fraud simultaneously, such as medical billing scams and prescription drug diversion, and all that data remains useful for committing crimes for many years.
3. Delayed or no detection of compromise. Most people check their medical records far less frequently than bank statements, and a large portion never check their medical records. Do you? This lack of medical records review by the associated patients allows fraudulent activities and other crimes to go unnoticed for many months or years.
4. Longer exploitation window: Unlike financial data identifiers, which can be quickly canceled or changed, medical records cannot be changed, and as described previously, the compromises are often not detected due to lack of medical records reviews. Criminals can misuse them for months or years. The healthcare sector typically has weaker fraud‑detection mechanisms than financial services, so abuse of stolen health data often goes undetected for long periods, increasing its value. The criminals have a much longer window of time, allowing the crooks to exploit the information to commit much more crime.
5. More opportunities to commit fraud and other crimes. Hackers can use stolen records to obtain medical services, file false insurance claims, or purchase expensive medical equipment. Criminals can monetize PHI by opening credit lines, filing fraudulent tax or insurance claims, obtaining medical services or prescriptions, and then reselling “fullz” identity kits (“fullz” is a term used by cybercriminals for data packages that contain full sets of data needed to steal someone’s identity) on dark‑web markets for high prices. The information in medical profiles can also be used to target individuals for physical robberies, assaults and even deadly crimes.
| | |
Q6: What are the biggest risks when health data gets into the wrong hands?
A6:
This is a great follow-up to the previous question. There are so many risks! I’ve grouped them into seven categories. Here they are:
1. Identity theft and financial fraud. Criminals use stolen health data to open bank and credit accounts, apply for loans, or commit tax fraud using stolen health data, often damaging the patients’ credit and exhausting their insurance benefits. These actions can ruin the associated patients’ credit, result in huge unexpected debt, and take months or years to resolve.
2. Medical identity theft and other fraud. Criminals can use stolen health data to commit medical identity theft, file fraudulent health insurance claims, obtain prescription drugs for resale, receive medical services under someone else's identity, or create synthetic identities for broader fraud schemes. Fraudulent claims can drain health insurance funds and leave victims with false medical histories that affect future care.
3. Physical harms to the associated patients. When someone receives medical care using a different patient’s identity, their health information gets mixed into that patient’s records. This can lead to very dangerous situations. For example, incorrect blood types, undisclosed allergies, or false diagnoses in the patient’s files, which could result in improper treatment, prescriptions, incorrect blood type entries, fatal medication errors, allergies attributed to the real patient, etc. Trying to fix all the false medical information incorporated into the patient’s records is extremely difficult. Physicians cannot make the best treatment decisions without full patient disclosure and accurate medical records. Having incorrect health data from others mixed into a patient’s health records and profile will negatively impact the actual patient’s overall healthcare.
4. Targeted scams and extortion. Detailed health information enables criminals to commit sophisticated phishing attacks and extortion. Knowledge of someone's HIV status, mental health treatment, substance abuse history, or other sensitive conditions creates leverage for extortion. Sensitive health details (e.g., cancer diagnosis) can be exploited for extortion or phishing attacks.
5. Discrimination, reputational, and coercion risks. Though illegal in many contexts, leaked health data could be, and has been, used for employment discrimination, insurance manipulation, and social stigmatization. Sensitive details about mental health, reproductive care, substance use, gender identification, HIV status, or sexual health can be used for extortion, workplace or social discrimination, or highly tailored phishing and social‑engineering attacks. These activities also cause significant anxiety, stress, and reputational damage to those patients involved.
6. Operational disruption. Health data can be used to launch successful ransomware attacks. Ransomware attacks can lock not only one patient’s records, but all hospital systems, delaying care and putting the safety of all patients at risk. Ransomware attacks can encrypt clinical systems and use copied data (that may be incorrect) as leverage, disrupting care delivery, delaying procedures, and increasing pressure on organizations to pay.
7. Institutional harm. Health data breaches undermine trust in healthcare systems, potentially deterring people from seeking necessary care or being honest with healthcare providers. Healthcare breaches are the most expensive to healthcare institutions of any industry, averaging $10 million - $15 million (depending on the study you look at) per incident.
| | We hope you found the previous news items and questions/answers interesting and/or useful! Please send us any other security, privacy and/or compliance questions you have. We thank you for reading the monthly Privacy Professor Tips! | | |
We are also excited to provide ways for MSPs, law firms, and other professional services organizations to offer our monthly tips to their clients! It is already working well for some such organizations. Get in touch with us for the details!
Here are some security and privacy gifts for you to consider in our 11-page “Privacy and Security Gifts” guide.
What topics would you like to see us create videos, and more formal online courses, for? Let us know!
Have questions about our education offerings? Contact us!
| | Where to Find The Privacy Professor | | Rebecca is happy to be teaching Cybersecurity & Privacy Basics for Engineers and Technical Professionals. Online / Jan 30, 2026 / Course Code: 0105-WEB26. Time: 12:00 PM - 2:00 PM Eastern Time. Check it out! | | |
Permission to Share
If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:
Source: Rebecca Herold. December 2025 Privacy Professor Tips
www.privacysecuritybrainiacs.com.
NOTE: Permission for excerpts does not extend to images.
Privacy Notice & Communication Information
You are receiving this Privacy Professor Tips message as a result of:
1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or
2) making a request directly to Rebecca Herold or
3) connecting with Rebecca Herold on LinkedIn.
When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.
If you wish to unsubscribe, just click the SafeUnsubscribe link below.
| | | | |
