The healthcare industry stores massive amounts of PII, and it is incumbent upon them to protect that data from theft. This has never been truer given Federal regulation (think HIPPA and HITECH) and the current fraud environment.
We know that criminals are becoming increasingly proficient in misusing data compromised in a breach to commit identity fraud. According to Javelin research, approximately 1 in 9 data breach victims in 2010 were fraud victims – this correlation grew to 1 in 4 as of 2012! A prime example of an organization that failed to be a good steward of privacy is the Utah Department of Health.
In March of 2012 Eastern European “hackers” compromised a test server that housed data for government health care participants. Due to a contractor oversight, default security settings were all that stood between these jokers and 280K unencrypted Social Security numbers. Social Security numbers are the keys to the castle when it comes to financial accounts. In our 2013 Banking Identity Safety Scorecard, 80% of the institutions examined still allowed consumers to authenticate themselves with SSNs. This is static knowledge based authentication of the worst kind. SSNs are like the Twinkies of KBA in that they have an indefinite shelf life – they will be valuable for criminals as long as the financial industry continues to use them in this manner.
- Data Storage Lesson 1: Manage assets from cradle to grave Using a checklist ensures that from the moment a server is brought on line to when it is decommissioned that all necessary steps are followed in securing the server, its data, and the processes it hosts.
- Data Storage Lesson 2: Encrypt, encrypt, encrypt Encryption is a cost, but so is the $2 to $10 million that the state of Utah is spending on dealing with the breach.
Speaking of costs, based on Javelin’s calculations, 122,000 cases of fraud will occur as a result of this breach with each incident resulting in $3,327.87 of loss. Each Utahn whose info is misused as a result of this data theft will incur $770.49 in out of pocket costs and spend 20 hours resolving these cases – taking time off of work to file a police report or to secure legal representation is neither free nor convenient. The point is that data breaches are precursors to fraud, and failing to protect PII exposes everyone to pain. Consumers have to spend time and money resolving fraud, financial institutions and retailers suffer as criminals use this information to defraud them for cash, products, and services, and the organization that loses the data will face an angry public and potential fines.
Next month, Javelin will be releasing the Data Breach Fraud Impact Report, which will cover this breach in greater detail, along with breaches in the payments and education industries. We will be covering the ways by which consumers can safeguard their identities in a world where data theft is the norm.
In addition, we will examine how businesses that store sensitive information can avoid similar fates, and the ways by which financial institutions can secure customer accounts post-breach. It’s time for a change in how we protect ourselves and each other from data theft and fraud, who’s with me?