Healthfirst a not-for-profit managed care organisation operating in New York has sent out letters to over 5,300 current and former members warning them of a data breach.
Customers will have several concerns over this breach:
- The first Healthfirst knew of the breach was May 27, 2015. This was when the US Department of Justice (DOJ) informed HealthFirst it may have suffered a data breach.
- It took forensic investigators until July 10, 2015 to identify the scope of the breach.
- The breach continued for over two years from April 11, 2012 to March 26, 2014.
- There was another delay of over two weeks before Healthfirst began to send out letters to customers.
Healthfirst told the DOJ about fraud but didn’t look for a data breach
In its letter, Healthfirst has apologised to customers for the data breach and admits that it first informed the DOJ about a suspected fraud in 2013. What isn’t clear is why it then failed to call in forensic investigators to see if the fraud had greater ramifications, such as the theft of customer data. This failure will need to be explained by Healthfirst because it could have minimised the risk to customers much earlier.
The letter to customers does say that the information stolen was limited and that Healthfirst has no evidence that Social Security Numbers (SSN) or credit card data was stolen. Despite this, HealthFirst is offering affected customers one year of free identity and credit monitoring.
Too little, too late?
While Healthfirst has moved to offer customers access to monitoring services, it is doing so too late. Given that the data was stolen with the intent to defraud, Healthfirst should have realised there were customer risks. As a result, there is no reason why it couldn’t have offered affected customers a free identify and financial audit to cover the period from April 2012 to date.
While this would incur additional costs for Healthfirst it would at least demonstrate a willingness to deal with the situation. Instead it appears that it is putting the onus on customers to go back over the last three years to try and identify any fraud that could have arisen as a result of this data breach.
When the regulator gets around to assessing the size of the penalties it will impose on Healthfirst it will look at how the whole situation was dealt with. At the moment, it appears that Healthfirst are just stumbling from one problem to the next.
Not the first time HealthFirst has suffered data problems
This is not the first time that Healthfirst has had to deal with a data breach. In February Senior Health Partners, a subsidiary of Healthfirst, admitted that it was notifying 2,700 members that it had suffered a data breach. This breach occurred when a smartphone and encrypted laptop were stolen from the apartment of a nurse employed by Premier Home Health.
What made this breach more serious was that the encryption key was stored in the laptop bag along with the laptop. Storing the two together negates the whole point of the encryption. In this case the data stolen did include SSN, personal data, medical services, Medicaid ID numbers and health insurance claims numbers.
The rise in cyber attacks means that all companies can expect to suffer attempted data breaches or fraud. Once detected the internal processes should start an indepth audit covering data and system access. If customers are affected then they have a right to know immediately that there is a problem.
In this case Healthfirst seems to have failed to react properly leaving customers open to fraud for over three years. It will be interesting to see how long it takes for Healthfirst to accept full responsibility and offer free historical audits to customers.