When it comes to the consequences of cyber theft, have local hospitals, medical practitioners and elected officials turned their backs on the communities they serve?
Earlier this year, The Mercury published a letter in which I described my experience as someone who had personal information, including a Social Security number, exposed as the result of a data systems breach at CHS (Community Health Systems). In the case of this “hack,” I was but one of potentially millions so affected. As no one in a position of authority appeared to have taken it upon themselves to address the consequences of this gross negligence, I took it upon myself to contact Wayne T. Smith, the CEO of CHS. Only one question was posed — Would you kindly advise me when my personal information will no longer be subject to abuse by third parties as a result of the information system breach? It was an unfair question as I knew that until my dying day, the netherworld of identity thieves would likely be privy to that information. For this effort, I was rewarded with a one-year extension of “free” identity theft monitoring (see below for CHS contact information). What remains unanswered is the question of who will bear the long term cost of this monitoring service. An average individual plan unsupported by CHS economies of scale can exceed $200 annually.
Last month, a class action lawsuit brought by 62,000 plaintiffs against the University of Pittsburgh Medical Center was dismissed by a judge in Allegheny County. The data system breach was remarkably similar to that at CHS. In his ruling, Judge Wettick declared that Pennsylvania law imparts no liability to entities that suffer a breach of their security systems other than to provide notice to affected parties.
What one can glean from the Dittman v. UPMC case is that our legislature and governor are very much behind the curve when it comes to addressing the short and long term consequences of cyber theft. One might also conclude that as cyber thefts begin to overlap, it will be problematic for plaintiff attorneys to definitively identify which theft was responsible for actual harm. Of no question is that victims of the CHS breach will incur financial harm if they elect to renew the identity theft monitoring service recommended by CHS if and when CHS ceases to underwrite the service. The risk in not re-subscribing to such a service is that identity thieves typically strike when complimentary programs expire, knowing that most will not be renewed out of a false sense of security.
The costs associated with cyber security and the numbers of those victimized by cyber theft are simply staggering. Investment bank J.P Morgan Chase currently spends $500 million annually on cyber security. The $75 billion market for cyber security services is expected to double within four years. Ponemon Institute research reveals that the average remediation cost associated with an exposed personally identifiable record is $217 for a U.S. company, $398 in the case of an exposed healthcare record. The recently hacked files of 18 million current and former federal employees pales in comparison to the 200 million records exposed in the hack of an Experian Plc. subsidiary. No parties, particularly insurers, have been able to get their arms around the problem given its complexity and scale.
In the near term, local CHS-affiliated hospitals and medical practitioners must disseminate to CHS victims information regarding the availability of free identity theft monitoring extensions ( Contact: Andi Bosshart, Senior Vice President, Corporate Compliance and Privacy Officer, CHS, 4000 Meridian Blvd, Franklin, TN 37067). Before those extensions expire in 2016, it is incumbent upon our state legislature, particularly those members seeking the office of attorney general, to craft legislation designed to fairly address cyber theft liability including assigned liability for costs associated with long term identity theft monitoring.
— Mark Furlong, North Coventry PA