Hackers recently attacked the IRS, breaking into its system to steal data on 104,000 taxpayers and collecting up to $50 million in refunds. If that wasn’t painful enough for most Americans to think about, add in the pain from recent breaches of health care data that exposed the personal and health data of millions.
Now the question is not “whose data has been exposed?” but “whose data hasn’t been exposed, yet?”
In fact, the health care industry is experiencing a surge in data breaches, security incidents, and criminal attacks — exposing millions of patients and their medical records — according to the latest Ponemon Institute study.
Who is most vulnerable? Health care organizations including hospitals, clinics, private or public health care providers — also referred to as “covered entities;” and their “business associates,” including patient billing, health plans, claims processing, and cloud services.
Even the U.S. Coast Guard, so proficient at protecting our coastlines, was recently slapped for serious shortcomings in protecting personal health information.
Speaking of those breaches, the following slideshow identifies at a glance what was compromised. Let’s take a look (and be glad it isn’t longer).
What was exposed in recent breaches?
IRS – Thieves got “enough personal information on the taxpayers to get past the security filters on the ‘Get Transcript’ function on the Internal Revenue Service’s website,” said Commissioner John Koskinen. That access during mid-February through May allowed them to gain access to past tax returns. And, presumably, all the data you enter on a return: name, address, Social Security numbers, income, and more.
Beacon Health System – Information on 220,000 of Beacon Health System’s patients and employees could have been compromised, Healthcare IT News reported, “including patient names, ID numbers, Social Security numbers, dates of birth, medical diagnoses, treatment data, drivers’ license information, and other medical-related information.” Apparently attackers gained access to these files via a phishing attack on Beacon employee email accounts in November 2013 and weren’t discovered until January 2015.
CareFirst – The 1.1 million-record hack of CareFirst, a BlueCross provider in Washington, D.C., occurred last June, and was just discovered recently. The hacked info “may have included member names, birth dates, email addresses and subscriber identification numbers. Additionally, CareFirst warned that the attackers may have acquired member-created user names for accessing CareFirst’s Website,” eWeek reported.
Premera – Potentially exposed data from more than 11 million customers, including names, birthdays, email addresses, physical addresses, telephone numbers, Social Security numbers, member IDs, bank account information, medical information, and insurance claims.
Anthem – This breach exposed data including Social Security numbers, addresses, email, employment and income data from as many as 80 million records.
We know what consumers are supposed to do in the wake of a data hack. “Check your bank accounts, monitor your credit” is the advice typically given. And, of course, take advantage of any credit-monitoring services your hacked provider is offering.
But what about the organizations themselves?
So what can I do? I’m not in IT
Plan and be proactive is the non-technical advice from the good people at LegalTech News. Beefing up your “cyber defense” takes “a combination of technology, training and process management.”
When, in spite of your IT and security department’s best defenses, a breach occurs, “planning and proactivity can help mitigate the liabilities associated with data loss; this means thinking about the breach in advance, and having representatives from potentially affected departments ready to assess the situation and react accordingly, even if the internal resources needed for cybersecurity defense teams are unavailable.”
And, we suppose, be ready with a credit-monitoring service for your customers.