IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Are Consumers Suffering from 'Data-Hack Fatigue'?

Industry insiders say people need to keep paying attention -- if not to prevent fraud, then at least to catch it as soon as possible.

(TNS) -- Chances are, you've heard something about the cyberattack on Premera Blue Cross in the six weeks since the company announced its massive security breach.

Maybe you even received a letter saying your personal information had been compromised.

But how worried should you be, exactly?

Premera's breach, in which hackers stole personal financial and medical data for about 11 million people -- 6 million of them in Washington alone -- was just the latest brazen attack on health system data.

In January this year, Anthem BlueCross BlueShield disclosed a breach that affected an estimated 80 million people, including patient data stretching back to 2004. Last year, Community Health Systems, the parent company of Yakima Regional Medical and Cardiac Center, was breached via the "Heartbleed" bug, an Internet vulnerability that allowed hackers to gain information on 4.5 million patients nationwide. Premera's breach actually occurred in May 2014; the company learned of it Jan. 29 but didn't make a public announcement until mid-March.

All those breaches came after attacks on retailers like Target and Home Depot, where credit card information for tens of millions of customers was stolen.

Now, consumers might be at risk of data-hack fatigue, tempted to tune out the deluge of bad news as simply one more cost of living in digital world. But consumer advocates and health industry insiders say people need to keep paying attention -- if not to prevent fraud, then at least to catch it as soon as possible.

At a recent health information management convention, one of the main seminars was "It's Not a Matter of 'If'; It's a Matter of 'When,'" said Jeff Yamada, chief information officer and vice president at Yakima Valley Memorial Hospital.

"(Hackers) are getting so sophisticated in some of the tools that they're using, it's hard to stay one step ahead of the threats," Yamada said last week in an interview.

"Some of the information they'll gather, they'll also gather from kids, so down the line they have that information to be used at any time," he said.

Premera, like Anthem before it, is offering two years of free credit monitoring for anyone who was affected by the breach. The company spent most of April sending out letters to affected customers, outlining options for assistance.

Some consumers are scoffing at the idea of two years of credit monitoring when their personal information is potentially vulnerable to theft and fraud for years to come.

Premera spokeswoman Melanie Coon wrote in an email that the company is encouraging affected customers to carefully review any "explanation of benefits" statements upon receipt, to look for any claims for services they never received, and to contact Premera directly.

Also, she said, "Affected individuals need to know that Premera will not email members or make unsolicited phone calls to members about this attack," so if someone calls randomly or emails asking for personal information, don't go along with it.

"Although the investigation has not determined that any such data was removed from our systems and we have no evidence to date that such data has been used inappropriately, we urge affected individuals to sign up for the credit monitoring and identity theft protection products," Coon wrote.

Recognizing that identity theft may happen "months and even years after a data breach," she said, Premera is providing members with ExtendCARE, which offers fraud resolution support and covers identity theft issues after their membership has expired.

On the health care side, where detailed patient information is collected, Yamada says health care organizations nationwide are constantly evolving in how they identify and protect against potential threats.

At Memorial, he said, every year the hospital brings in an outside team to do a full security assessment. After a week of close monitoring, the group hands over a long report detailing every vulnerability in the system, and hospital directors prioritize which issues they need to fix first.

"There's constantly threats that kind of hit our front door -- industrywide, that happens every day," Yamada said.

Protecting against those threats takes a significant investment in staff and infrastructure, he said.

"From an IT perspective, yeah, we do spend a lot of dollars. And every year that seems to grow," he said. But, of course, they can't afford not to do so: "One breach will basically pay for itself," he said.

"My take ... I say, if a robber wants to break into your house, they'll find a way to break in; you've just got to make it as hard as possible," Yamada said. "That's what we try to do. Do we have 100 percent of everything shored down? Probably not, but we make progress in what we're doing."

In the wake of Premera's cyberattack, Washington Insurance Commissioner Mike Kreidler is leading a multistate investigation into the company's cybersecurity system and process of customer notification. Several class-action lawsuits have also been filed against the company.

For Premera's part, Coon said, both the FBI and security consultant Mandiant warned that going public with the breach could prompt more malicious activity from the hackers, so the company worked to finish its investigation and shore up its IT security before making the announcement March 17.

©2015 Yakima Herald-Republic (Yakima, Wash.) Distributed by Tribune Content Agency, LLC.