Sergey Nivens - Fotolia

The futility of data breach notifications

Olivia Eckerson discusses how her healthcare insurance provider was hacked, and why the data breach notification letter she received was less than helpful.

As a security reporter, I often wondered if data breach notifications helped victims or if they were simply an empty gesture. I got my answer the hard way when I discovered my health insurance provider was hacked.

The breach happened two years ago during my first year of college at a small liberal arts school. During my first semester at school, a highly contagious bug spread through my dorm faster than American Pharoah, and unfortunately, I caught it too. So I took a taxi to the hospital and I got the prescriptions I needed and soon I was on my merry way. But what I didn't think twice about was that my health insurance provider was interacting with an apparently unsecure network at the hospital.

A few weeks ago, I received a letter in the mail that read: "Excellus BlueCross BlueShield was the target of a sophisticated cyberattack, and some of your personal information may have been accessed by the attackers." Further down, the data breach notification letter stated: "Our investigation determined that the attackers may have gained unauthorized access to your information, which could include your name, address, telephone number, date of birth, Social Security number, member identification number, financial account information, and claims information."

Uh-oh.

I let out an exasperated gasp that I'd unknowingly held in while I was reading. This wasn't a simple Target hack; I can replace my credit card and feel safe again, but my birthdate and Social Security number aren't going to change. My personally identifiable information (PII) was exposed, and the list of ways my PII can be abused in the hands of the wrong person is endless.

The breach notification letter stated that the attack specifically occurred in several counties of the state where I was attending college at the time, so I was able to determine when and how I was affected by the breach. But the rest of the data breach notification letter was a dense, four pages-long statement that didn't actually explain anything about the cyberattack or the health insurance provider's response in detail. Essentially, the letter went something like this: there was a data breach, your information was compromised, we are offering free credit monitoring, and we are enhancing security. Excellus BlueCross BlueShield also posted a public statement on its website, but that didn't offer much information either. Out of curiosity and my occupation, I wanted to know more.

I called Excellus to see what they had to say. After waiting on hold for 20 minutes I was transferred to a woman, who I can imagine was working in a call center and had little to no information to offer. To start, I asked her, "How did this happen?" She reiterated what the letter said with vague details. I continued to ask more questions: "Was my data encrypted?", "Why did it take two years to discover?", "What security was being used to protect my personal data?" and other inquiries. She suggested I look online for more information or call the credit report agencies like Experian listed in the data breach notification letter. But it's worth noting that Experian was hacked this October, exposing 15 million people's personal information. Thanks but no thanks.

I started to wonder if the data breach notification letter was actually designed to serve customers' best interests or if it was simply a formality so the company could cover itself in case of any legal action.

I called another credit report agency listed in the letter to order a free credit report. I jumped around a phone maze for 20 minutes, giving the automated voice response system my personal information to establish my identity. I hoped at the end of it I would finally be connected to a real person to talk to but I wasn't. Instead, I was told to get more information about getting my credit report in the mail in two to three weeks, and then the line hung up. Frustrated, I tried calling yet another credit reporting agency Equifax, and again I was met with an automated voice response system and was unable speak to a representative.

About two weeks after I requested a credit report from Equifax, I received it in the mail. But there was no actual credit score in the report. It didn't occur to me that they'd send me a credit report without a credit score. And on the fifth page titled, "Historical Account Information," there is a list of payments but it doesn't say where the payment came from. It simply reads "No Data Available."

But what I found most interesting is that I have the right to request a "security freeze," which they explained was "designed to prevent credit loans or services from being approved in your name without your consent." I was intrigued because it seemed like a legitimate way to help victims of a data breach. But to  get a security freeze I'd have to call another number and pay $5.00. But don't worry -- if you're a victim of identity theft and you "submit a copy of a valid police report, no fees will be charged." In other words, you can't get a free security freeze on your credit unless you've already been victimized.

Healthcare organizations are the Holy Grail for attackers as far as personal information goes. The data is comprehensive, it includes the most sensitive information about a person, and it has a long shelf life, which is why healthcare organizations have been regularly targeted by cybercriminals recently. The other problem is that healthcare organizations aren't equipped to handle the backlash of a cyberattack because they cannot "identify illicit records activity and put a stop to it," according to the 2014 Bitglass Healthcare Breach Report. The data breach notification letter said the hospital breach was a "sophisticated cyberattack," but I have my doubts. Many companies fail to keep up with proper security measures and regulations, leaving a gaping hole for cybercriminals to waltz through. For example, Target was subject to embarrassment after a post-breach internal report was made public by security reporter Brian Krebs.

At the time, I recalled a conversation I had with Christopher Budd, global threat communications manager at security vendor Trend Micro. "People pay more attention [to data breaches] because they've seen what has happened to others. But people are not learning because we don't get full details," Budd told me. "The general public never gets the whole story."

I found that to be painfully true.

The victims of any cyberattack should be able to know, in reasonable detail, what happened, how it happened, the impact of breach, why the company's security was breached, and what exactly the company is doing to make sure it doesn't happen again. I started to wonder if the data breach notification letter was actually designed to serve customers' best interests or if it was simply a formality so the company could cover itself in case of any legal action.

Even though I received a data breach notification letter with plenty of numbers to call and companies to contact and a free credit report, I don't know any more than I did before I was notified, and my occupation as a security reporter didn't help me get any answers or clarity on the situation. In addition to the lack of information, the so-called "protection" offered to me was laughable. Next time, Excellus BlueCross BlueShield, save your paper.

Next Steps

Find out why Home Depot is under fire for its data breach notification

Learn about best practices for data breach notifications

Discover how to define legal obligations for cloud data breaches

This was last published in December 2015

Dig Deeper on Information Security Incident Response-Detection and Analysis

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

7 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think data breach notification letters are useful or just a formality?
Cancel
Thanks for sharing Mike. The value of "protecting" consumers after their personal information is stolen is a bit of stretch in terms of a real value proposition. Many so called identity protection companies simply act as a middle man and "scale" by outsourcing call center, notification, and credit monitoring services to partners. I'm not surprised that the author states, "After waiting on hold for 20 minutes I was transferred to a woman, who I can imagine was working in a call center and had little to no information to offer." This call center rep probably has many other call center project responsibilities and was simply referencing a script. To me, that doesn't sound like a consumer focused model with the best interests of victims in mind.
Cancel
My husband and I were both notified that our information was stolen in the OPM breach. We were referred to a credit protection agency that would provide three years of 'service'. The first thing they asked for was the same private information that had been stolen from OPM. Fat chance we're going to blindly trust this no-name company with our information. What a crock! 
Cancel
They are a legal and bare minimum response.  Reveal no more than what is required and minimize public image damage in my considered opinion.  The C level executives are in damage control mode first and looking for the scapegoat  second to cover for the lack of administrative support for a secure culture.  

Just my two cents from my experience inside healthcare and having received similar notifications too.
Cancel
For me I'd say useful. If a company was breached and I was not notified and found out through other means I would stop doing business with that company. I would look at it as the company does not care about their customers to give them a heads up that the personal info may have been put at risk. Even still depending on the breach level, I may stop doing business.  I guess a company may think the same way, If we tell our customers of the breach they may leave, so do we keep our mouths shut to retain the business.
Cancel
They send the letters as a legal necessity, not because they want to be helpful. As to their usefulness? Typically as a consumer there's nothing that you can do about the breach once its occurred. Companies usually offer some free credit monitoring services though, and that is helpful. 
Cancel
Yes, we got free credit monitoring from our bank once. The reason was not necessarily a breach, but somebody lost their un-encrypted tape back-ups. We got the letter, which was nice and we kept a sharp eye on our credit as well.. Fortunately nothing happened, that was about 6 years ago. I guess I can count myself lucky that nothing has happened so far.
 
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close