August 20, 2014
CHS Data Breach Underscores 3 ‘Don’t’s
For one, DON’T use the terms “identity theft” and “data breach” interchangeably. Why? Because they aren’t interchangeable.
In the wake of the data breach at Community Health Systems (CHS) that affected 4.5 million patients, many organizations feel that their customers are suffering from “breach fatigue,” that they think the CHS data breach is just one of many. While it’s true that the CHS breach is just adding to an already long list of breaches in the health/medical sector, the CHS breach is not one to ignore.
If it feels as if it’s almost commonplace to hear about a data breach involving a medical or health entity, there’s a reason. And it’s important.
Medical/health entities are in first place this year in number of breaches — 43% of all the breaches reported by the ITRC are in this category. When the 4.5 million records from CHS were added to the list, health/medical also moved to first place in total records breached. (For more information on breaches and how the ITRC categorizes them, visit the ITRC Breach Report).
Why are there so many breaches in the health/medical sector? This is a complex question, and there is no single answer. One reason may be the value of the type of data that is available in our medical records. It’s not necessarily the details of payment cards used for payment or medical history that make the hackers salivate. It’s your Social Security number, or SSN. Having your SSN exposed through a breach by your medical or healthcare provider does not just leave you vulnerable to medical identity theft. It can leave you vulnerable to all types of identity theft.
The SSN remains the holy grail for identity thieves, and, in the CHS case, it appears that they got away with 4.5 million of them.
It is of critical importance that we all react appropriately to this news. While we certainly don’t want to see panic ensue, we don’t apathy to take hold, either.
Inaccurate reporting, headlines and story-telling could cause an unnecessary frenzy that will be wholly counterproductive. So, here are three important “don’ts” when it comes to breaches in general and this breach in particular:
DON’T use the terms “identity theft” and “data breach” interchangeably. Why? Because they aren’t interchangeable. To state that all of the victims of this data breach are victims of identity theft (or even that they will be) is inaccurate, yet we frequently see this stated. Victims of a breach have had their personal identifying information (PII) compromised — meaning that it has been exposed outside of the sphere in which they were granting access to it. Victims of identity theft have had their PII used to obtain money, goods or services without their authorization or knowledge.
DON’T offer tips, or resources, that are inappropriate to a particular breach. All breaches are not the same, as the exposure of different types of PII carries different types of risk. Offering blanket tips may seem like the right move, especially when there is little concrete information, but it can cause even more confusion. In the case of the CHS breach, checking credit reports is wholly appropriate because breach victims have had their SSNs compromised. But in the case of a breach where payment card information (not SSNs) was compromised, offering credit monitoring services only further confuses the public.
DON’T minimize the value of the notification processes. Issuing notification letters to affected individuals remains important. The topic of breach fatigue has been broached as more and more breaches hit the news. Lately, there have been suggestions that notification is no longer the answer. This stance doesn’t take into account that there will be consumers who receive a letter that will be their first exposure to this issue. Notification letters serve as an opportunity to educate customers of the immediate issue as well as the broader ones. Letters can often be the impetus for better identity management, password hygiene, etc. Whenever a large breach hits the airwaves, the ITRC phone lines light up with consumers seeking information about data breaches and how they can protect themselves. Without notification, there would be a huge missed opportunity.