Equifax’s data breach is the gift that keeps on taking

Every time we think we’re out, they pull us back in.  Just when we’ve seemingly heard the last of the Equifax story, more damning updates come to light.  This time, yet another additional set of people affected by last year’s data breach (2.4 million more) was announced recently, which brings the total number up to around 147.9 million.

Perhaps even worse is news of Equifax’s possible playing of both sides of this incident.  Senator Elizabeth Warren (D-Mass.) recently stated that after a five month investigation, she believes it’s entirely possible that Equifax is actually profiting off the breach on the side.  This is due to the fact that Equifax sells credit protection devices, so that if a victim decides to buy credit protection from another entity, that entity “very well may be using Equifax to do the back-office part.”

Moreover, Warren states that her investigation found Equifax’s transparency surrounding the breach to be sorely lacking.  House Representative Greg Walden echoed this sentiment, accusing Equifax of merely partial responses to repeated committee requests.

As a reminder, the Equifax breach was caused by the organization’s failure to keep its security up to date, allowing external actors to break in.  Often, however, and especially in healthcare organizations, insiders are primarily responsible.  In fact, according to Verizon’s 2018 Protected Health Information Data Breach Report, more than half (58 percent) of healthcare data breaches have internal causes.  The motivations vary among this set: from some form of financial gain (48 percent) to fun and curiosity (31 percent) to sheer convenience (10 percent).

Lack of encryption also continues to be a significant problem, primarily in instances like laptop theft (21 percent of PHI breaches overall) or ransomware (70 percent involving malicious code).  The report recommends both long and short-term measures to meet these security vulnerabilities, including encryption, access monitoring, and building strong security into any new Internet of Things devices.

Although this presents a serious challenge for the industry (and others), there is reason for optimism.  Infosys recently released a report, “Digital Outlook for Healthcare and Life Sciences Industry,” that places cybersecurity as the most significant digital technology used by healthcare organizations globally (77 percent).  Big data analytics are also a major trend cited in the report (72 percent), but that’s a whole topic on its own.

All of these statistics just go to show how much work remains to be done.  No matter the industry, there is no room for shoddy security or poor transparency.  That said, it would be great if House Representative Ted Lieu’s two recent bills regarding credit agency breaches (the “Protecting Consumer Information Act of 2018,” which would “expand the Federal Trade Commission’s enforcement authority;” and the “Ending Forced Arbitration for Victims of Data Breaches Act,” which would do exactly as it says and help consumers “have their day in court”) gained some traction.