Costly cyber attack hits UnitedHealth Group Subsidiary 

Earlier this year, a cyber attack on a UnitedHealth Group subsidiary, Change Healthcare, caused significant disruption and financial loss for one of the largest employers in the US. The attack is reported to have started with hackers exploiting a server which lacked multi-factor authentication. Recently, UnitedHealth Group reported a staggering $872 million loss in its first-quarter earnings due to the attack, which took place on February 21. UnitedHealth confirmed that the attack, which led to operational shutdowns at hospitals and pharmacies for over a week, was carried out by a Russia-based ransomware group known as ALPHV or BlackCat. The group claimed to have stolen over six terabytes of sensitive data, including medical records, demanding a ransom to restore systems.  

The $872 million figure reflects the business disruptions at Change Healthcare but does not include the direct costs of the ensuing response. It is also likely to exclude any ransom payments made to the hackers. Although UnitedHealth has not disclosed the exact ransom payment, media sources have reported that a significant amount was paid to the hackers to restore the systems.  

The breach has prompted the Office for Civil Rights to investigate whether protected health information was exposed and if Change Healthcare complied with patient privacy laws. The company warned that personal information affecting a substantial portion of Americans might have been compromised, though there is no evidence yet of doctor charts or full medical histories being leaked. UnitedHealth is offering two years of free credit monitoring and identity theft protection to those affected. 

This incident emphasises the importance of strong cyber security measures in the healthcare sector. Organisations are advised to conduct thorough risk assessments, strengthen their cyber security protocols, and ensure they have a solid response plan in place to mitigate the impact of potential cyberattacks. 

Lagos leads African privacy efforts with new Cybersecurity Operations Centre

The Lagos State Government of Nigeria has launched a Cybersecurity Operations Centre (CSOC) to monitor, detect, and respond to cyber threats in real-time. The CSOC will leverage advanced technologies and a team of cybersecurity experts to protect the state’s digital infrastructure. Lagos is the first state in Nigeria to establish a CSOC at the sub-national level, a significant move given the state’s status as a hub for major tech companies, banks, and multinationals. 

Additionally, Lagos State has formed a cybersecurity council consisting of experts from both public and private sectors to advise the government on policies, programs, and training initiatives related to cybersecurity. The state is also collaborating with leading cybersecurity firms and international organisations to enhance its defence against sophisticated cyber threats. 

In a broader strategy to improve security and governance, the state has implemented the Data Protection Compliance Project. This project includes sensitisation and awareness workshops for key government officials and the establishment of 70 Data Protection Officers in various Ministries, Departments & Agencies (MDAs). The initiative aims to safeguard personal data privacy, prevent data manipulation, and ensure Nigerian businesses remain competitive internationally. 

At the national level, Nigeria has the Nigeria Computer Emergency Response Team (ngCERT), responsible for securing the country’s cyberspace. ngCERT manages cyber threats, coordinates incident responses, and issues alerts on the latest cyber threats.  

This development highlights how Nigeria, alongside other African countries, is taking significant steps to enhance cybersecurity. Companies operating in these jurisdictions, or planning to do so, must prioritise robust cybersecurity measures to protect sensitive data and ensure compliance with evolving regulations. 

AEPD, regional Data Protection Authorities issue guidelines on Wi-Fi tracking technologies 

On May 7, 2024, a coalition of Spanish data protection authorities, including the Spanish Data Protection Agency, the Catalan Data Protection Authority, the Basque Data Protection Authority, and the Transparency and Data Protection Council of Andalusia, released guidelines on the use of Wi-Fi tracking technologies. These technologies can identify and track mobile devices through emitted Wi-Fi signals, detecting presence in specific areas and identifying movement patterns. 

While Wi-Fi tracking has had practical applications in shopping centres, museums, and other public places for estimating capacity and analysing people flows, it also poses significant privacy risks. This is because it can be used to track individual movement without their awareness or proper legal basis. The authorities emphasise that the use of Wi-Fi tracking must comply with the General Data Protection Regulation (GDPR) and recommend conducting a Data Protection Impact Assessment (DPIA) before implementing any form of Wi-Fi tracking, considering the high risk to personal privacy. Even when the obligation to conduct a DPIA is unclear, it is advised due to the inherent risks.  

To ensure transparency and compliance with GDPR, the guidelines recommend providing clear and accessible information through public signage, voice alerts, and information campaigns. Summarily, key recommendations from the guidelines for responsible use of Wi-Fi tracking technologies include: 

  • Anonymising and aggregating data immediately after collection. 
  • Limiting the tracking scope. 
  • Avoiding the use of the same identifier for a device across different visits. 
  • Implementing security measures appropriate to the level of risk, subject to continuous reviews. 
  • Conducting independent audits. 

Companies operating within the jurisdiction should ensure compliance and protect user privacy by implementing the new guidelines and regularly review existing processes. 

European Union adopts data transfer framework with Japan

The Council of the European Union has adopted a decision approving a new protocol to include provisions on cross-border data flows in the Economic Partnership Agreement between the EU and Japan. This protocol aims to enhance legal certainty and ensure that data flows between the EU and Japan are not impeded by unjustified data localisation measures. 

The new protocol will allow companies to handle data more efficiently, eliminating the need for cumbersome administrative or storage requirements. Businesses will no longer be required to store data locally, which will help them avoid additional costs and complexities associated with building and maintaining data storage facilities in multiple locations. This change is expected to improve competitiveness and enhance data security by reducing the need for data duplication. The protocol also ensures that the data protection and privacy rules of both the EU and Japan will be duly respected.  

The protocol will come into effect once it has been ratified by Japan and both parties have completed their respective internal procedures. This development follows the Council’s approval of negotiating directives for the European Commission on September 26, 2022, the conclusion of negotiations on October 28, 2023, the Council’s decision on the signing of the protocol on January 29, 2024, and the European Parliament’s consent on March 14, 2024. 

The new EU-Japan data flow protocol simplifies cross-border data handling and enhances legal certainty. It is recommended that companies operating in the EU and Japan should update their data management practices to align with this protocol, and ensure compliance with both jurisdictions’ data protection and privacy rules. 

As a global B Corp organisation, HewardMills is ready to partner with and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at