Welcome to today's issue of Secret CISO, your daily dose of cybersecurity insights. Today, we're diving into the U.S. Cybersecurity and Data Privacy Review and Outlook for 2025, where we'll explore the latest developments in privacy and data security regulation. We'll also discuss the recent data breaches affecting New Era, a health insurance company, and a hotel giant that's now paying $45 million to customers affected by a massive data breach. Erickson Companies, a construction firm, is also in the spotlight for a data breach leaking Social Security Numbers.

In the healthcare sector, Baylor Scott & White Texas Spine & Joint Hospital and Columbus Regional Healthcare System are dealing with patient data breaches, with the latter reaching a proposed $1.17 million settlement. On the tech front, we'll look at how tech giants are seeking data standards amid an AI push and the top 10 takeaways from the new HIPAA security rule. We'll also cover the conviction of Uber's former chief security officer over a data breach, a $1.5 million Ingo Money data breach class action settlement, and how ASIC alleges FIIG's security lapses led to a massive data breach.

Finally, we'll delve into the world of cybersecurity research, exploring how researchers are harnessing the power of biomedical data while protecting privacy, and the latest developments in car security and AI. Stay tuned for these stories and more in today's issue of Secret CISO.

Data Breaches

1. New Era Health Plan Data Breach: New Era, a health insurance provider, is notifying 335,500 customers, agents, and others of a significant data breach. The incident is currently the largest health data breach reported. Source: Bank Info Security
2. Hotel Giant Data Breach: A massive data breach that hit millions of customers in 2019 has led to a hotel giant agreeing to pay $45,000,000 in compensation. The breach exposed sensitive data, including names, addresses, phone numbers, and dates of birth. Source: Daily Hodl
3. Erickson Companies Data Breach: Erickson Companies filed a notice of data breach with the Attorney General of Massachusetts after discovering that sensitive data, including Social Security Numbers, were leaked. Source: JD Supra
4. Baylor Scott & White Texas Spine & Joint Hospital Data Breach: The hospital has reported a data breach affecting patient data. The breach was due to an email security incident. Source: KLTV
5. Columbus Regional Healthcare System Data Breach: The healthcare system has reached a proposed $1.17 million settlement for a data breach that occurred last year. The lawsuit alleged that the hospital was negligent when hackers stole the data. Source: WECT

Security Research

1. Microsoft restores VS Code theme flagged as malicious: Microsoft has reinstated a Visual Studio Code theme after it was mistakenly flagged as malicious. The company's security researchers confirmed the error, highlighting the importance of accurate threat detection. Source: SC Media
2. MitM Vulns Provide Research Opportunities for Car Security: Security researchers are exploring the potential of Man-in-the-Middle vulnerabilities in vehicle hardware. Despite the challenges posed by proprietary systems, these vulnerabilities could provide valuable insights into car security. Source: Dark Reading
3. DeepSeek-R1 Can Almost Generate Malware: Chinese security researchers have used the DeepSeek-R1 artificial intelligence reasoning model to come close to developing ransomware variants. This research underscores the potential threats posed by AI in cybersecurity. Source: BankInfoSecurity
4. Thousands of healthcare records exposed online: A security researcher discovered a large, unprotected database online containing personally identifiable information and medical data. This incident underscores the need for robust data protection measures in the healthcare sector. Source: TechRadar
5. OpenAI's Operator AI agent can be used in phishing attacks: Researchers have found that OpenAI's Operator AI agent can be manipulated by attackers for phishing attacks. This highlights the potential cybersecurity risks associated with AI systems. Source: SC Media

Top CVEs

1. CVE-2023-33300: Fortinet FortiNAC versions 7.2.1 and earlier, 9.4.3 and earlier have a vulnerability that allows an attacker to gain unauthorized file access via a specifically crafted request in inter-server communication. Source: CVE-2023-33300
2. CVE-2022-29059: FortiWeb versions 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below have an SQL Injection vulnerability that may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings. Source: CVE-2022-29059
3. CVE-2024-26006: FortiOS and FortiProxy versions 7.4.3 and below, version 7.2.7 and below, version 7.0.13 and below have a vulnerability that may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via a malicious samba. Source: CVE-2024-26006
4. CVE-2025-27835: This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. The details for this candidate will be publicized once it has been disclosed. Source: CVE-2025-27835
5. CVE-2024-13321: The AnalyticsWP plugin for WordPress versions up to, and including, 2.0.0 is vulnerable to SQL Injection via the 'custom_sql' parameter due to insufficient authorization checks on the handle_get_stats() function. This allows unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information. Source: CVE-2024-13321

API Security

1. CVE-2025-2320 in springboot-openai-chatgpt: A critical vulnerability has been found in the function submit of the file /api/blade-user/submit of the User Handler component in springboot-openai-chatgpt. This vulnerability leads to improper authorization and can be exploited remotely. The vendor has been contacted but has not responded yet. Source: CVE-2025-2320
2. Flowise API Vulnerability: Flowise's /api/v1/document-store/loader/process API has a vulnerability that allows an attacker to write files with arbitrary content to the filesystem, potentially leading to Remote Code Execution (RCE). The fileName parameter, an untrusted external input, is used without verification, allowing users to write files to any path. Source: Flowise API Vulnerability
3. CVE-2024-54449: This vulnerability in the API used to interact with documents in the application allows an authenticated attacker to write a file with controlled contents to an arbitrary location on the underlying file system, potentially leading to RCE. An account with ‘read’ and ‘write’ privileges on at least one existing document in the application is required to exploit the vulnerability. Source: CVE-2024-54449
4. CVE-2024-12019: The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with ‘read’ and ‘download’ privileges on at least one existing document in the application is required to exploit the vulnerability. Source: CVE-2024-12019

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We hope you found our insights valuable and actionable. Remember, the digital world is a battlefield and every click, every download, and every online transaction can be a potential threat. Stay vigilant, stay informed, and most importantly, stay secure.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends. Let's spread the word about the importance of cybersecurity and help create a safer digital environment for everyone.

Until next time, keep your data safe and your systems secure. Stay tuned for tomorrow's edition where we'll bring you more updates from the world of cybersecurity.