2023's largest U.S. health sector data breach targeted medical transcription firm PJ&A, affecting over 14 million individuals. Breach included patients' personal data, like names, addresses, medical information, and potentially Social Security numbers. Impacted clients include Chicago's Cook County Health and New York's Northwell Health. Previous record was HCA Healthcare breach, affecting 11 million patient records.

Hack of PJ&A tops 2023 US healthcare data breaches as tally jumps by 4M SC Magazine

JCI spent $27M remediating a September 2023 ransomware attack. The incident involved data exfiltration and locked internal IT infrastructure. Despite concerns, JCI's smart-factory installations remained unaffected. Investigation and remediation are ongoing.

Johnson Controls Ransomware Cleanup Costs Top $27M and Counting DarkReading

CISA orders Federal Civilian Executive Branch agencies to remove all Ivanti appliances within 48 hours due to multiple security flaw exploitations. Chinese state-backed cyberattackers exploited at least two vulnerabilities causing CISA to instruct agencies to disconnect Ivanti products. CISA directive applies to 102 agencies, includes Homeland Security, State, Energy, and SEC. All entities using Ivanti appliances urged to prioritize network protection. Appliances can't reconnect until rebuilt and upgraded. Agencies must report steps by Feb. 5, 2024. CISA mandates double password reset, Kerberos tickets revocation, device token revocation, and reports by March 1, 2024.

CISA Orders Ivanti VPN Appliances Disconnected: What to Do DarkReading

Biden administration moves forward with cybersecurity strategy to protect infrastructure, hold manufacturers accountable for product security, and compel private sector disclosure of material events. 2024 sees heightened push for cybersecurity regulation due to increased malicious threats. New rules prompt proactive risk management from companies to preempt cyber incidents. Enhanced regulations require companies to certify cyber resilience, and conditions mean cyber risks must be disclosed to SEC within four days. Enhanced product security regulations expected. SolarWinds pushes back against SEC allegations. Regulatory landscape not US-exclusive, EU introduces Cyber Resilience Act requiring minimum cybersecurity standards for all digital products sold.

In 2024, the cybersecurity industry awaits more regulation — and enforcement Cybersecurity Dive