Sergey Nivens - Fotolia

The futility of data breach notifications

Olivia Eckerson discusses how her healthcare insurance provider was hacked, and why the data breach notification letter she received was less than helpful.

As a security reporter, I often wondered if data breach notifications helped victims or if they were simply an empty gesture. I got my answer the hard way when I discovered my health insurance provider was hacked.

The breach happened two years ago during my first year of college at a small liberal arts school. During my first semester at school, a highly contagious bug spread through my dorm faster than American Pharoah, and unfortunately, I caught it too. So I took a taxi to the hospital and I got the prescriptions I needed and soon I was on my merry way. But what I didn't think twice about was that my health insurance provider was interacting with an apparently unsecure network at the hospital.

A few weeks ago, I received a letter in the mail that read: "Excellus BlueCross BlueShield was the target of a sophisticated cyberattack, and some of your personal information may have been accessed by the attackers." Further down, the data breach notification letter stated: "Our investigation determined that the attackers may have gained unauthorized access to your information, which could include your name, address, telephone number, date of birth, Social Security number, member identification number, financial account information, and claims information."


I let out an exasperated gasp that I'd unknowingly held in while I was reading. This wasn't a simple Target hack; I can replace my credit card and feel safe again, but my birthdate and Social Security number aren't going to change. My personally identifiable information (PII) was exposed, and the list of ways my PII can be abused in the hands of the wrong person is endless.

The breach notification letter stated that the attack specifically occurred in several counties of the state where I was attending college at the time, so I was able to determine when and how I was affected by the breach. But the rest of the data breach notification letter was a dense, four pages-long statement that didn't actually explain anything about the cyberattack or the health insurance provider's response in detail. Essentially, the letter went something like this: there was a data breach, your information was compromised, we are offering free credit monitoring, and we are enhancing security. Excellus BlueCross BlueShield also posted a public statement on its website, but that didn't offer much information either. Out of curiosity and my occupation, I wanted to know more.

I called Excellus to see what they had to say. After waiting on hold for 20 minutes I was transferred to a woman, who I can imagine was working in a call center and had little to no information to offer. To start, I asked her, "How did this happen?" She reiterated what the letter said with vague details. I continued to ask more questions: "Was my data encrypted?", "Why did it take two years to discover?", "What security was being used to protect my personal data?" and other inquiries. She suggested I look online for more information or call the credit report agencies like Experian listed in the data breach notification letter. But it's worth noting that Experian was hacked this October, exposing 15 million people's personal information. Thanks but no thanks.

I started to wonder if the data breach notification letter was actually designed to serve customers' best interests or if it was simply a formality so the company could cover itself in case of any legal action.

I called another credit report agency listed in the letter to order a free credit report. I jumped around a phone maze for 20 minutes, giving the automated voice response system my personal information to establish my identity. I hoped at the end of it I would finally be connected to a real person to talk to but I wasn't. Instead, I was told to get more information about getting my credit report in the mail in two to three weeks, and then the line hung up. Frustrated, I tried calling yet another credit reporting agency Equifax, and again I was met with an automated voice response system and was unable speak to a representative.

About two weeks after I requested a credit report from Equifax, I received it in the mail. But there was no actual credit score in the report. It didn't occur to me that they'd send me a credit report without a credit score. And on the fifth page titled, "Historical Account Information," there is a list of payments but it doesn't say where the payment came from. It simply reads "No Data Available."

But what I found most interesting is that I have the right to request a "security freeze," which they explained was "designed to prevent credit loans or services from being approved in your name without your consent." I was intrigued because it seemed like a legitimate way to help victims of a data breach. But to  get a security freeze I'd have to call another number and pay $5.00. But don't worry -- if you're a victim of identity theft and you "submit a copy of a valid police report, no fees will be charged." In other words, you can't get a free security freeze on your credit unless you've already been victimized.

Healthcare organizations are the Holy Grail for attackers as far as personal information goes. The data is comprehensive, it includes the most sensitive information about a person, and it has a long shelf life, which is why healthcare organizations have been regularly targeted by cybercriminals recently. The other problem is that healthcare organizations aren't equipped to handle the backlash of a cyberattack because they cannot "identify illicit records activity and put a stop to it," according to the 2014 Bitglass Healthcare Breach Report. The data breach notification letter said the hospital breach was a "sophisticated cyberattack," but I have my doubts. Many companies fail to keep up with proper security measures and regulations, leaving a gaping hole for cybercriminals to waltz through. For example, Target was subject to embarrassment after a post-breach internal report was made public by security reporter Brian Krebs.

At the time, I recalled a conversation I had with Christopher Budd, global threat communications manager at security vendor Trend Micro. "People pay more attention [to data breaches] because they've seen what has happened to others. But people are not learning because we don't get full details," Budd told me. "The general public never gets the whole story."

I found that to be painfully true.

The victims of any cyberattack should be able to know, in reasonable detail, what happened, how it happened, the impact of breach, why the company's security was breached, and what exactly the company is doing to make sure it doesn't happen again. I started to wonder if the data breach notification letter was actually designed to serve customers' best interests or if it was simply a formality so the company could cover itself in case of any legal action.

Even though I received a data breach notification letter with plenty of numbers to call and companies to contact and a free credit report, I don't know any more than I did before I was notified, and my occupation as a security reporter didn't help me get any answers or clarity on the situation. In addition to the lack of information, the so-called "protection" offered to me was laughable. Next time, Excellus BlueCross BlueShield, save your paper.

Next Steps

Find out why Home Depot is under fire for its data breach notification

Learn about best practices for data breach notifications

Discover how to define legal obligations for cloud data breaches

This was last published in December 2015

Dig Deeper on Information Security Incident Response-Information