Millions More Medical Records Stolen

This has not been a good year so far for blue crosses and blue shields.  Honestly, all these healthcare data breaches make for a double-edged sword, when it comes to writing about them.  Sure, each one is its own story, and gives me new material; but at the same time, that story is just the same one we’ve all heard by now time after time.  Add health insurer Excellus BlueCross/BlueShieldto the growing list, joining the likes of Anthem BlueCross BlueShield, Premera Blue Cross, and CareFirst BlueCross/BlueShield as major healthcare organizations who announced massive network breaches in 2015.  In the Excellus case, according to a statement from CEO Christopher Booth, the initial breach, a “very sophisticated cyberattack,” was in December 2013, and only discovered this past August.  The information stolen was the usual grocery list, including Social Security Numbers and financial account information, and affects the data of 10.5 million people.

By my estimate, if you add that to the total number of medical records stolen in all four of the aforementioned healthcare data breaches this year, that would be somewhere north of 100 million medical records (see, I can math).  And still three and a half months to go.  Whether the hackers in this story are also believed to have the support of the Chinese government in their alleged ‘cyber war’ efforts is not yet known.  What is more clear is that the two years of free credit monitoring Excellus is offering is nice, but not really sufficient for actively protecting people against actual identity theft.  Credit report freezes would be a more effective bulwark, but hacked companies rarely want to assume those costs.

Also clear is that other breaches, like the server intrusion of violence prevention education organization We End Violence that put about 79,000 California State University students at risk last week, really doesn’t help hackers’ overall image.  Not that they care, but you’d garner more good will if you went after, say, We End Baby Pandas, or something.

Still more apparent, and increasingly recognized throughout information security, is the need to encrypt customers’ confidential data. Lloyds Bank might find this out firsthand, after an unencrypted data storage device was taken from U.K. insurance company Royal Sun Alliance in July, affecting Lloyds Premier customers who received emergency home insurance from RSA between 2006 and 2012.  Lloyds Bank and RSA are, of course, working together in an investigation into the breach, and customers were notified this month that their names, addresses, account numbers and sort codes may have been accessed.  Encryption, all the same, would have made this particular stolen data useless.  And while factors like legacy support and implementation costs remain challenges for businesses, as more adopt this strategy, it will make for a better defense, and that blue shield will be that much tougher to break.

By: Jonathan Weicher