Editorial: Short-term monitoring inadequate for Banner, Anthem data breaches

Short-term monitoring inadequate for Banner, Anthem data breaches

It’s not enough.

Banner Health recently revealed in letters to customers that “cyber attackers may have gained unauthorized access to information stored on a limited number of Banner Health computer servers.” Accessed data may have included patient names, birth dates, Social Security numbers, addresses, physician names, dates of service, clinical information, health-insurance information, members of patient health plans and more.

Banner’s announcement came quickly — three weeks after it says it discovered the breach — but the remedy is sorely lacking. Banner has offered those affected one year of free credit and identity monitoring. That falls short of the two years offered by Anthem BlueCross BlueShield after records of more than 70 million customers were exposed in 2015. Anthem now has offered credit and identity protection for life — but only if those affected remain Anthem members. Sign up for a new plan and the protection goes away.

Clearly, credit and identity protection for one year is inadequate. Even two years doesn’t cut it, not when data that’s been compromised includes Social Security numbers, the No. 1 data point needed to initiate new credit. Add in all of the other information exposed in the breaches, and there’s little left to the imagination for hackers.

Anthem’s current model of cutting someone off from credit and identity monitoring if they switch plans also is irresponsible.

Hackers often act as “sleeper” agents within a computer system, sometimes sitting in a system for years before a breach is discovered. Any of the 70 million victims of Anthem’s breach or the 3.7 million affected by Banner’s breach could face serious identity-theft issues for the rest of their lives. An unauthorized credit card could be opened a decade from now.

Companies responsible for such breaches should bear the cost of monitoring credit and identity for their customers — not for a year, not for two years, not for life only for customers — but for anyone affected, for life.

It’s difficult to prevent all data breaches. But it’s also disconcerting to have a company, such as Banner, state that “we are further enhancing the security of our systems to help prevent something like this from happening again.” That’s the proverbial “closing the barn door after the horse has escaped.”

Companies that maintain sensitive data such as SSNs should have some of the most-secure systems in the world — and they should pay the price if that data is exposed.

Comments

Start a discussion in the form below.

To participate in commenting, you must enable JavaScript.