Health IT, Payers

Twitter beats security experts when it comes to Excellus breach

In less than two minutes, we found two great sentiments on Twitter that security professionals didn't bother to raise in getting out their statements to the press about the Excellus Blue Cross Blue Shield breach.

Wednesday’s news that yet another health insurer, Excellus Blue Cross Blue Shield of Rochester, New York, suffered a data breach involving millions of people, brought the usual response, at least from the perspective of MedCity News. Several publicists reached out to us again offering canned quotes from cybersecurity experts.

It’s the same thing that happened in May after CareFirst BlueCross BlueShield in Maryland disclosed that it was the victim of a hack.

Here’s a sampling of generic advice that came in this week:

“Healthcare organizations are a large target for many reasons. First and foremost, they possess extremely valuable assets, including the personal, family and billing information of their patients. It isn’t the blood type or cholesterol reports that make Electronic Health Records the most valuable records on the cybercrime black market; it is the virtually complete personal identity information, including social security numbers, parents, maiden names, addresses, emails, children names and, in some cases, complete information of close friends. They are the holy grail of the identity theft world.

(Pardon me while I cringe at the capitalization of electronic health records and the lack of capitalization of Social Security.)

We’re learning, through the discovery of this year’s inventory of breaches, that an identity breach can essentially be far more damaging than that of a credit card breach. There is more sensitive information being leaked, which in turn provides attacker an added incentive into selling that information. The disclosure of Social Security numbers and other data points such as income, employment status and birth dates allow criminals to create numerous fraudulent credit card accounts, causing the victim additional fallout that can continue for many years to come.

That’s better on the grammar front, but still yawn-inducing. This one isn’t much of an improvement:

The frequency of breaches in the healthcare sector emphasizes the priority cybercriminals are putting on the industry. Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren’t obvious to the organization. It’s not only about building effective software that adhere to compliance standards, but healthcare organizations also need to build security in so that applications and software can tell you when something is going wrong.

Then I turned to Twitter. In less than two minutes, I found two great sentiments these security professionals didn’t bother to raise in getting out their statements to the press about a breach that apparently started in 2013.

The latter was from a TV news anchor in Rochester who clearly was doing her job.

Photo: Bigstock