Italy Fines OpenAI €15 Million, Cyberattack on Texas Tech Health Sciences Centers: Your Cybersecurity Roundup
Italy Fines OpenAI €15 Million for GDPR Violations in ChatGPT Data Handling
Italy’s data protection authority, the Garante, has imposed a €15 million ($15.66 million) fine on OpenAI for violating the European Union’s General Data Protection Regulation (GDPR) through its generative AI platform, ChatGPT. This ruling follows the authority’s investigation into OpenAI’s practices, which found that the company processed users’ personal information without sufficient legal grounds or transparency.
The Garante specifically cited OpenAI’s failure to notify it of a March 2023 security breach and its inadequate measures for age verification, which risk exposing children under 13 to inappropriate content. Additionally, OpenAI was criticized for not providing users and non-users with adequate information about the nature and purposes of data collection and their rights under GDPR, including the ability to object, rectify, or delete their data.
To address these violations, OpenAI has been ordered to conduct a six-month communication campaign across various media channels to educate the public on how ChatGPT operates, what data it collects, and how users can exercise their rights.
Cyberattack on Texas Tech Health Sciences Centers Compromises Data of 1.4 Million Patients
The Texas Tech University Health Sciences Centers (TTUHSC) and its El Paso counterpart were the targets of a significant cyberattack that disrupted computer systems and exposed the sensitive data of approximately 1.4 million individuals. The attack, discovered in September 2024, has been claimed by the Interlock ransomware group, which reportedly stole around 2.6 terabytes of data. This data includes patient information, medical research files, SQL databases, and sensitive personal identifiers.
TTUHSC, a key academic and healthcare institution within the Texas Tech University System, educates and trains healthcare professionals, conducts medical research, and provides essential patient care services. Following the attack, it was confirmed that malicious actors had unauthorized access to the network from September 17 to September 29, 2024, allowing them to exfiltrate files and folders containing critical information.
The compromised data varies for each individual but may include full names, dates of birth, physical addresses, Social Security numbers, driver’s license numbers, government ID numbers, financial account details, health insurance information, and medical records, including diagnosis and treatment details. The university is sending written notifications to those affected and offering complimentary credit monitoring services to mitigate potential risks of identity theft and fraud.
Romanian Hacker Sentenced to 20 Years for NetWalker Ransomware Attacks
Daniel Christian Hulea, a Romanian national, has been sentenced to 20 years in prison by a U.S. court for his involvement in the NetWalker ransomware operation. Hulea pleaded guilty to charges of computer fraud conspiracy and wire fraud conspiracy in June, following his extradition to the U.S. after his arrest in Romania in July 2023.
NetWalker, a Ransomware-as-a-Service (RaaS) operation active since 2019, targeted victims globally, including healthcare providers, emergency services, schools, and law enforcement agencies. The group exploited the COVID-19 pandemic to intensify attacks on healthcare organizations.
Hulea admitted to obtaining approximately 1,595 bitcoins, worth $21.5 million at the time, from ransomware victims. He has been ordered to pay nearly $15 million in restitution, forfeit $21.5 million, and relinquish interests in an Indonesian company and a luxury resort property in Bali, financed with proceeds from the attacks.
