Back to All Digests

2026-08

February 20 - February 26, 2026

Subscribe
9
Total Articles
3
Topics
7
Sources
2 days
ago

This Week's Summary

The gap between compliance documentation and actual security capability showed up in high relief this week. HHS OCR collected another $103,000 from a healthcare provider that treated risk analysis as paperwork instead of a roadmap—phishing got in because nobody bothered to map the actual threats. Meanwhile, Google's insider threat turned into a DOJ indictment, proving that those device policies and DLP controls most companies checkbox their way through actually matter when trusted employees decide to exfiltrate trade secrets to Iran. Ring's decision to cut ties with Flock preemptively demonstrates what mature vendor risk management looks like, though it's notable mainly because so few organizations make that call before the headlines force their hand.

The authentication and access control landscape continues to deteriorate faster than most compliance programs can adapt. The Starkiller phishing-as-a-service platform bypasses traditional MFA through session hijacking, which means if your "multi-factor" still relies on SMS codes or push notifications, you're compliant on paper but vulnerable in practice. This isn't theoretical—it's an industrialized service that treats your SOC 2 control environment like tissue paper. The FBI's report on $20 million in ATM jackpotting losses similarly exposes the gap between documented physical security controls and what's actually happening in the field, particularly for organizations that assumed "secure location" on a PCI attestation meant something without ongoing validation.

Healthcare ransomware hit UMMC hard enough to close all clinics, but the real story is what didn't fail: hospital operations continued because someone actually drilled downtime procedures instead of filing them away after the risk assessment. That's the difference between compliance theater and operational resilience. The attack surface keeps expanding in unexpected directions too—malicious code is now arriving via job candidate repositories during technical interviews, and AI coding assistants like Claude are introducing vulnerabilities that most secure development policies never contemplated because they were written before AI tools became ubiquitous in engineering workflows.

For practitioners, the through-line is clear: documented controls that aren't operationalized, tested, and maintained are just liability without protection. Whether it's risk analysis that doesn't drive actual security decisions, MFA that can be trivially bypassed, or vendor management that waits for problems instead of anticipating them, the enforcement actions and incidents this week punished organizations that confused compliance artifacts with security outcomes. The regulatory environment is also fracturing—California's lawsuit over federal vaccine schedule changes previews the state-versus-federal compliance conflicts that healthcare organizations will need to operationalize across consent forms, EHR workflows, and payer policies, adding administrative burden without improving patient outcomes. This week's lesson: if your compliance program can't articulate how each control stops a real threat, you're just hoping nothing bad happens before the next audit.

regulation update

1 articles

Attorney General Bonta Co-Leads Multistate Lawsuit to Block Trump Administration’s Unlawful Overhaul to Childhood Vaccine Schedule

Feb 24, 2026 California Attorney General News Score: 1.0

California and 14 other states filed a multistate lawsuit challenging the Trump Administration's changes to the childhood immunization schedule, which removed seven vaccines from the universally recommended status. The lawsuit also contests the replacement of the Advisory Committee on Immunization Practices (ACIP) panel, arguing the changes violate federal law and endanger public health. The case was filed in U.S. District Court for the Northern District of California seeking to vacate the CDC's January 5, 2026 Decision Memo.

My Take

If you're in healthcare compliance, watch how this plays out—vaccine schedule changes ripple through everything from EHR workflows to consent forms to payer policies. This isn't just a public health fight; it's about to create a mess of conflicting state vs. federal requirements that clinics will somehow have to operationalize.

HIPAA

Key Actions

  • • Monitor federal court proceedings in U.S. District Court for the Northern District of California
  • • Review state healthcare compliance requirements related to childhood vaccination schedules
  • • Assess organizational immunization policies and ensure alignment with current federal guidance

security incident

7 articles

Ring Cancels Its Partnership with Flock

Feb 20, 2026 Schneier on Security Score: 0.9

Amazon's Ring has terminated its partnership with Flock, a surveillance technology company, citing concerns about the company's practices and reputation. The article raises privacy and surveillance concerns related to data collection and law enforcement integration, which are relevant to consumer privacy regulations. This demonstrates organizational responsibility in managing third-party vendor relationships that could impact compliance with privacy regulations.

My Take

This is what vendor risk management should look like—cutting ties when reputational and privacy risks outweigh the partnership value. Most companies wait until after the breach or the headline; Ring actually made a preemptive call here.

GDPR CCPA

Key Actions

  • • Review third-party vendor partnerships for compliance and privacy risks
  • • Assess data sharing agreements with surveillance or law enforcement entities
  • • Evaluate GDPR/CCPA implications of surveillance technology partnerships

‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA

Feb 20, 2026 Krebs on Security Score: 0.9

A sophisticated phishing-as-a-service platform called 'Starkiller' has been discovered that bypasses traditional anti-phishing defenses by proxying legitimate login pages and capturing credentials, MFA codes, and session tokens in real-time. The service uses obfuscated URLs, headless Chrome containers, and man-in-the-middle techniques to intercept user authentication data while maintaining a live connection to legitimate sites. This represents a critical threat to organizations across all compliance frameworks due to the risk of credential compromise and unauthorized account access.

My Take

This is why phishing-resistant MFA (passkeys, FIDO2, hardware tokens) matters and SMS codes don't cut it anymore—session hijacking doesn't care about your compliance checkboxes. If your "MFA" can be phished through a proxy, you've got security theater, not actual access control.

SOC2 ISO27001 GDPR HIPAA PCI-DSS CCPA

Key Actions

  • • Implement advanced email security controls to detect phishing URLs using '@' symbol obfuscation and URL shortener deception
  • • Deploy enhanced MFA solutions that can detect and prevent relay attacks and session token theft
  • • Establish incident response procedures for credential compromise across all systems and user accounts

Three Former Google Engineers Indicted Over Trade Secret Transfers to Iran

Feb 20, 2026 The Hacker News Score: 0.9

Three Iranian nationals employed at Google and other tech companies have been indicted for allegedly stealing trade secrets related to processor security and cryptography, and transferring them to unauthorized locations including Iran. The incident involved exfiltration of confidential documents through personal devices and third-party communication platforms, with the defendants allegedly attempting to conceal their activities through false statements and file destruction.

My Take

The insider threat controls that most companies treat as checkboxes—device policies, DLP, access monitoring—just became Exhibit A in a DOJ indictment. If your "trusted employee" controls rely on honor system and annual training, you're not compliant, you're just hoping.

SOC2 ISO27001

Key Actions

  • • Conduct comprehensive insider threat investigation across all affected technology companies
  • • Review and strengthen access controls and data exfiltration prevention mechanisms
  • • Audit employee activity logs for similar unauthorized data transfers

FBI: Over $20 million stolen in surge of ATM malware attacks in 2025

Feb 20, 2026 BleepingComputer Score: 0.9

The FBI reported a significant surge in ATM jackpotting attacks in 2025, with over $20 million stolen across 700+ incidents using Ploutus malware. Attackers exploit the XFS software layer to bypass bank authorization and dispense cash without legitimate transactions. Financial institutions are advised to implement physical security audits and integrity validation to detect unauthorized access and malware staging.

My Take

The ATM problem isn't new—Ploutus has been around for years—but $20M stolen means someone finally stopped treating physical access controls as a checkbox item. If your PCI scope includes ATMs, now's the time to audit whether your "secure location" assumptions still hold up in the field.

PCI-DSS

Key Actions

  • • Audit ATM systems for unauthorized removable storage and unauthorized processes
  • • Implement gold image integrity validation for early detection of physical intrusion
  • • Enhance physical security controls for ATM hardware access

Mississippi medical center closes all clinics after ransomware attack

Feb 20, 2026 BleepingComputer Score: 0.9

University of Mississippi Medical Center (UMMC) suffered a ransomware attack that forced closure of all clinic locations and impacted electronic medical records systems. The attack involved potential data theft and extortion demands, with UMMC coordinating response efforts with FBI and CISA while maintaining critical hospital operations through downtime procedures. This incident highlights significant risks to healthcare organizations handling protected health information and demonstrates the need for robust incident response protocols.

My Take

Healthcare ransomware isn't news anymore—what matters here is that UMMC kept their hospital running through downtime procedures while closing clinics, which tells you they'd actually practiced this scenario. That's the difference between an organization that treats incident response as a binder on a shelf versus one that drills their people on paper charts and manual workflows.

HIPAA GDPR

Key Actions

  • • Conduct comprehensive forensic investigation with FBI and CISA assistance to determine scope of data breach
  • • Implement mandatory breach notification procedures under HIPAA to inform affected patients of potential PHI exposure
  • • Document all incident response activities and remediation steps for compliance audit trails

Malicious Next.js Repos Target Developers Via Fake Job Interviews

Feb 25, 2026 Dark Reading Score: 0.9

Malicious Next.js repositories are being used in a social engineering campaign targeting developers through fraudulent job interview processes. Attackers are distributing compromised code packages designed to compromise developer environments and potentially supply chain systems. Organizations need to implement controls to detect and prevent distribution of malicious code repositories.

My Take

The supply chain attack everyone's been worried about is now hiding in your hiring process—and your SOC 2 controls probably don't say a word about vetting code sent during interviews. Time to add "candidate-provided code" to your secure development policies before your next senior dev hire opens a backdoor.

SOC2 ISO27001

Key Actions

  • • Review and audit third-party code repositories and dependencies in development environments
  • • Implement secure code review and verification processes for hiring assessments
  • • Deploy endpoint detection and response (EDR) solutions to identify suspicious developer activity

Flaws in Claude Code Put Developers' Machines at Risk

Feb 25, 2026 Dark Reading Score: 0.9

Vulnerabilities discovered in Claude Code interpreter could potentially expose developers' machines to security risks. This security incident highlights the importance of secure code execution environments and vendor security practices in development tools.

My Take

If you're letting AI tools execute code in your dev environment, you'd better understand their sandbox model—or lack thereof. This is a good reminder that "AI-powered" doesn't mean "security-reviewed," and your SOC 2 auditor is going to start asking about AI tools in scope whether you're ready or not.

SOC2 ISO27001

Key Actions

  • • Review Claude Code usage and update to patched versions
  • • Audit development tool security practices and vendor assessments
  • • Implement additional controls for code execution environments

penalty/fine

1 articles

HHS OCR Settles HIPAA Security Rule Investigation with Top of the World Ranch Treatment Center

Feb 20, 2026 DataBreaches.net Score: 0.9

HHS OCR settled a HIPAA Security Rule investigation with Top of the World Ranch Treatment Center for failing to conduct adequate risk analysis following a phishing attack that compromised ePHI for 1,980 patients. The settlement marks OCR's 11th enforcement action under its Risk Analysis Initiative and includes a $103,000 penalty plus a two-year monitored corrective action plan. OCR provided recommendations for healthcare providers to strengthen security controls including risk analysis, encryption, audit controls, and workforce training.

My Take

Risk analysis isn't a nice-to-have document you dust off for audits—it's the thing that tells you phishing is coming and encryption matters. OCR keeps hammering this same nail because most covered entities still don't get it: if you haven't done a real risk analysis, you're just hoping nothing bad happens.

HIPAA

Key Actions

  • • Conduct accurate and thorough risk analysis to identify vulnerabilities to ePHI confidentiality, integrity, and availability
  • • Develop and implement comprehensive risk management plans to address identified security vulnerabilities
  • • Establish written policies and procedures compliant with HIPAA Privacy, Security, and Breach Notification Rules