National Consumers League

How many straws until the camel’s back is broken on data breaches?

John BreyaultAnother day, another data breach. The data breach roulette wheel this times landed on health insurer CareFirst. Who loses? The 1.1 million consumers whose names, birth dates, email addresses and CareFirst subscriber ID numbers are now in the hands of cyber crooks.

First things, first, what’s the risk to consumers? The mostly likely effect is that consumer affected by the breach may be on the receiving end of convincing-looking phishing emails. These attacks are designed to trick consumers into clicking on links or attachments that install malware or send users to phishing websites. The phishing emails (and possible telephone calls) are likely to reference CareFirst in some way, and may even masquerade as notifications about the breach itself.

Bottom line: If you are a CareFirst customer, the first place you should be going to get reliable information about the breach and what CareFirst is doing about it is The website has been set up by CareFirst to give affected customers up-to-date information about the breach and what steps they can take to mitigate their risk, including taking advantage of free credit monitoring and identity theft protection CareFirst is offering via Experian.

With that out of the way, there are a number of key questions that regulators, legislators and advocates should be asking in the coming days and weeks.

First, why are health insurers being targeted? CareFirst is the third major health insurer to disclose a breach in the past six months. There are troubling signs that the breaches at Anthem in February, Premera in March and now CareFirst are part of a coordinated attack on U.S. health insurers, possibly by state-sponsored hackers. Regardless of the origin of the hack, it’s clear that medical information is especially lucrative for thieves. According to cybersecurity experts, stolen medical info is worth 10-20 times more than stolen credit or debit card data goes on the cyber black market. With 2.3 million Americans falling victim to medical identity theft in 2014, it’s not hard to see why medical information presents such an attractive target to cybercriminals

Second, why did it take 10 months to notify consumers? According to CareFirst, the intrusion into their network was first detected in June 2014 and “immediate action” was taken to contain the threat. However, it was not until April 2015 that the company discovered that the crooks had exfiltrated their systems with stolen data. With nearly 10 months lead time, cybercrooks had ample time to create mischief with the stolen data before CareFirst notified consumers. Why did it take so long to find out that data was actually lost?

Finally, would more stringent data security standards or data breach notification laws have reduced the risk of this breach? There is no way to make a system 100% safe from hacking. However, far too many companies only invest significant resources in protecting their customers’ data after a hack, not before. This leaves millions of consumers at risk of breach-fueled fraud as companies elect to invest elsewhere while they wait for a hack to force them to spend on data security. What kind of incentives and/or penalties should Congress and Executive Branch consider to shift the cost/benefit equation for companies towards spending on data protection before a breach? NCL’s 2015 Data Security Agenda is a good roadmap for policymakers looking for consumer-friendly answers to these important questions.

The CareFirst breach is yet another straw on the pile of reasons why consumers can’t wait on businesses to take care of the data security problem on their own. It’s time for leaders in Washington to step up and pass real data security reform before the next straw breaks the camel’s -- and our -- backs. In the meantime, here are tips consumers can use to reduce the risk of identity theft.