The breaches just keep happening. Until there are significant repercussions for these breaches and the stolen data involved, companies will continue to skimp on their cybersecurity investments, leaving people’s sensitive information—and sometimes even lives—at risk.
Consider the recent breach at Change Healthcare. Many people might think, “I’ve never heard of them, so why should I worry?” But that’s a common misconception that can lead to complacency about the scale of such threats. Change Healthcare provides cloud-based products and services to a wide range of industries, from insurance companies to hospitals and even regular employers that handle medical claims and payments. This breach is estimated to have impacted 100 million Americans, disrupting pharmacies, hospitals, and medical offices across the country and affecting their ability to provide crucial care.
In our own household, we had never really heard of Change Healthcare throughout our medical journey. However, shortly after the breach, I received notification letters informing me that my children’s information had been compromised. For many, this can feel like an abstract issue until it hits close to home, as it did for us. The stolen data included their Social Security numbers (SSNs), medical records, billing information, and insurance plan details—information that can be used in countless ways by malicious actors.
So, what did I do about it? I went to the credit bureaus—two out of three, to be specific—and asked them to look up my children’s information to see if any credit accounts had been opened in their names. This is the only action parents can take without sending in more proof of guardianship paperwork (like birth certificates) to all three bureaus to get their credit frozen. I’ll add some helpful links to the end of this blog for anyone in a similar situation. It’s unfortunate, though, that even after a breach of this magnitude, it falls on us, the consumers, to jump through hoops to protect our families.
What will happen to Change Healthcare? Likely, very little, if anything at all. HIPAA, the legislation that is supposed to protect patient data, doesn’t really have the teeth it needs to hold companies accountable in a meaningful way. Penalties are so low that healthcare companies often view them as just a small cost of doing business, especially when compared to the costs of implementing comprehensive security measures. In this particular case, the breach occurred because there was no multi-factor authentication (MFA) on Change Healthcare’s remote access servers—something that HIPAA actually requires. Yet this requirement was disregarded.
It’s a frustrating cycle: entities covered under HIPAA have even been carved out from many breach and privacy laws thanks to lobbying from special interest groups. The result is a lower standards of care for handling sensitive information than should be expected in the healthcare sector. Until the government steps up at both the federal and state levels to make real changes, or until there is a large enough class-action lawsuit to set a precedent, we’ll likely continue to see ransomware attacks on poorly defended systems. And with these attacks, we’re likely to see continued disruptions to patient care, from shut-down emergency rooms to postponed surgeries and delayed prescriptions—sometimes with life-threatening consequences.
Looking at the bigger picture, it’s clear we need regulatory changes. HIPAA was enacted in the mid-1990s and has struggled to keep pace with the rapid advancements in technology and the ever-growing sophistication of cyber threats. Updating it to enforce stronger security measures and provide harsher penalties would be a step in the right direction. Additionally, there could be provisions to help patients and consumers by making credit freezes simpler and mandating that companies directly impacted by breaches assist affected individuals.
Until then, though, the responsibility for data security falls heavily on each of us as individuals, making it more critical than ever to stay vigilant about our personal data. With breaches becoming a regular occurrence, it’s essential to be proactive and prepared—not only to protect ourselves but also to advocate for a future where security isn’t treated as optional.
Experian – https://www.experian.com/help/minor-request.html
Equifax – This agency is somewhat behind the times and will only freeze credit once they receive a request in writing, and they provide no initial check of credit like other two bureaus.
CFPB Article (A little old, doesn’t have the new minor request forms above, but talks about freezing their credit): https://www.consumerfinance.gov/ask-cfpb/how-do-i-check-to-see-if-my-child-has-a-credit-report-en-1865/
Skye Crest Technology (SCT) provides a wide range of Cybersecurity and IT consulting services including awareness training, compliance, vCISO, networking and programming. SCT can also provide you with website hosting/management services along with social media packages. Visit us at https://www.skyecrest.com to learn more.