Dec. 26: Hackers obtain personal records for as many as 44 million Internet users, especially gamers and social media users.
Dec. 25: The Anonymous collective claims to have stolen thousands of credit card numbers and other personal data from clients of Texas-based Stratfor, a security think tank.
Dec. 24: Criminals take personal data for about 20,000 applicants for credit cards at China’s Taishin International Bank.
Dec. 23: The Virginia Department of General Services starts notifying 600 or more people that their Social Security numbers have been visible on an agency website for 10 years.
Dec. 22: The Oregon Department of Human Services says someone stole a computer that contained private information for about 300 people.
Those are just some of the known breaches reported recently.
In Oregon, repercussions are still echoing from the loss of data servers by health insurance firm Health Net Inc., which acknowledged learning in January that as many 1.9 million current and former policyholders, including 124,000 Oregonians, could be affected.
The nonprofit Privacy Rights Clearinghouse lists Health Net as one of the nation’s six most significant data breaches in 2011. A state investigation is under way into the reason for Health Net’s delay in notifying its Oregon clients.
Health Net subscribers weren’t notified of the lost data until March, and then, in August, the company notified the state that an additional 6,000 Oregonians were affected. And it sent corrective letters to 40,000 other state residents to tell them that, contrary to what they were told in March, their data may have been lost after all.
The delay was “completely, totally outrageous,” said Jeremy Gray, a Health Net client who is also the benefits administrator for the Oregon State Public Interest Research Group (OSPIRG). “Health Net didn’t do anything for three months. That seems weird to me.”
Following a nudge from OSPIRG, the state Department of Business and Consumer Services opened an investigation into the Health Net breach. Investigators are examining whether the insurer complied with a relatively new Oregon law that requires companies or agencies to notify clients “in the most expeditious time possible” when it learns that their personal data may be lost or exposed.
That investigation is continuing, David Tatman, administrator of the state’s Division of Finance and Corporate Securities, confirmed Thursday.
OSPIRG health care advocate Laura Etherton says the Health Net case is one of the first big tests of Oregon’s law. “Is the law strong enough?” she asked. If consumers weren’t told for two months that their personal information was exposed, that’s two months when they weren’t checking their credit reports or their billing statements. And in cases when data are lost or stolen, she said, “time is of the essence.”
OSPIRG’s Gray says the contractor Health Net hired to respond to queries has given inconsistent responses about whether members’ data were compromised. He said he’s had no contact from Health Net since March, even though he is responsible for informing OSPIRG staffers about their benefits.
The health care sector is seeing a startling growth in the number of reported breaches of personal data, driven by the increasing use of mobile devices, new federal requirements and, often, a failure by employees to focus on securing personal data, according to Portland’s ID Experts, a data security solution firm.
ID Experts sponsored a patient privacy study released last month by the Ponemon Institute that found health care data breaches rose 32 percent last year, costing organizations $2.24 million each, on average.
Part of the reason for the sharp rise, said Richard Kam, ID Experts president, is that the health care sector has “so much less fraud detection” than there is in the financial services industry. Health care providers and insurers, generally, practice a “pay and chase” model of pursuing fraud, he said, meaning that most interdiction occurs after a violation has occurred.
At the same time, Kam noted, health care is highly regulated, making health sector participants more motivated to report breaches than, say, nurseries or makers of flat-panel screens. In fact, it’s impossible to know how many firms or agencies expose private data, because many firms prefer to protect their reputations by concealing such lapses.
They know they risk the ire of clients and customers who learn that the company failed to protect their private information.
“Joe,” a 58-year-old, Sebring, Fla., man interviewed by The Oregonian after he posted on Reddit about his case of identity theft, still doesn’t know how his personal information was hijacked. But he knows in excruciating detail how it was used. He agreed to discuss the matter on the condition that his name not be published, as he’s still cleaning up the mess.
Just before Halloween, he found that data thieves had used his information to acquire a Sears MasterCard, a Macy’s American Express card, a Nordstrom Visa card and individual store accounts at Bass Pro Shops, Kohl’s, Mattress Giant and others. When retailers issued the fraudulent cards, he said, the thieves instantly charged them up to the limit. “They were experts,” he said.
Joe took it upon himself to start calling the banks and retailers that issued the cards. He estimated last week that he’s spent 20 hours on the phone so far — “and I was probably on hold for 18 of those.”
He said he is a careful consumer, shredding correspondence, checking ATMs before using them and avoiding dubious e-commerce sites. But it wasn’t until he got a call asking whether he had charged $3,500 on his Visa card that he knew he had a problem. He didn’t have a Visa card, and the charge occurred 200 miles from where he lived.
By being diligent, Joe hasn’t suffered any losses. But he says, “when I go to the mailbox, I cringe a little.”