Top 5 Stories


Consumers Take Their Business Elsewhere After a Data Breach

22 October 2013

The costs of data breaches have been well-documented when it comes to remediation and consulting costs, but the more qualitative fallout from a breach, like the impact to brand identity, is harder to pin down.

But a new survey reveals that two-thirds of US adults would not return to a business if their personal information were stolen – and provides insight into what types of businesses consumers would most likely stop patronizing if their confidential information was stolen.

“With every data breach comes a cost, including lost productivity, a damaged reputation, and most importantly, decreased revenue when customers take their business elsewhere,” said John Otten, marketing manager at Cintas, which commissioned Harris Interactive to carry out the survey. “This research confirms that by failing to make security a priority, businesses can discourage once-loyal customers from returning. It could also stop potential customers from ever patronizing your business.”

When asked which types of organizations patrons would stop doing business with if their personal data were compromised, respondents named banking, healthcare and lawyers as being under the most scrutiny. More than half (55%) said that they would change banks, which is no surprise. And 39% said that they would get a new lawyer. But healthcare is really under the gun for consumers, likely because of the sensitive nature of the personal information that could be compromised: 46% said that they would switch insurance companies, 42% would go to a different drug store/pharmacy and 40% would get a new doctor or dentist. A full 35% said that they would not return to their hospital.

Charitable giving was another at-risk area for brand impact after a breach. Consumers want to know their money is safe and going to where it is intended when they give to a cause. Accordingly, 38% said they would donate to a different charity/non-profit organization, while 24% said that they would no longer donate to their alma mater or another educational institution they attended in the event of a breach.

The survey comes as data breaches continue to be reported, and are being perpetrated via a number of vectors. And yet, organizations’ responses persist in their lack of brand-equity damage control. For instance, 729,000 patients’ data may have been compromised after two password-protected laptops were stolen on October 12 from Alhambra Hospital Medical Center (AHMC) in Alhambra, Calif. The laptops had been guarded and gated by a security team with video surveillance, but the thieves made off with them anyway.

The Los Angeles Times reported that the breach included patient Social Security numbers as well as their names, Medicare/insurance identification numbers, diagnosis/procedure codes and insurance/patient payments.

The breach affects AHMC patients that were treated at Garfield Medical Center, Monterey Park Hospital, Greater El Monte Community Hospital, Whittier Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim Regional Medical Center. “We regret any inconvenience or concern this incident may cause our patients,” AHMC said – which, given the survey results, is unlikely to cut it with its consumers.

Meanwhile, a former Broward Health Medical Center employee took documents containing the personal information of nearly 1,000 patients from the Fort Lauderdale health system, it said this week. The records contain names, addresses, dates of birth, insurance policy numbers and the reasons for visiting – a potential jackpot for identity thieves.

According to the Sun Sentinel, about 960 patients, treated between October and December 2012 at Broward Health's main facility, are being notified via letters. These simply alert them that their registration documents had been "inappropriately removed."

This article is featured in:
Data Loss  •  Identity and Access Management  •  Industry News



squeezy says:

18 May 2014
St. Joseph's Hospital in Orange, Ca., a huge non profit hospital entertwined with the Catholic Church, gets millions of donations because of their "so called sterling reputation". It's not so sterling after a breach of hundreds of thousands of patients' medical records that contain their most private information. Furthermore, they contract with doctors that have Malpractice "convictions" on their record. St. Joe's won't ever tell you about their Malpractice convicted doctors like William J. Spak, Podiatrist, even though I have corresponded back and forth with Steve Moreux the CEO. Anyone wishing to view the court record can do so at the O.C. Superior Court in Santa Ana, CA. Case #
30-2009-00120955-CU-MM-CJC. Anyone that thinks St. Joe's Hospital is being operated by "saint's" would do better at another hospital. It should be a criminal act for anyone to use the name of a "Saint" to depict your hospital. Total misrepresentation. At the very least, I would highly recommend that you stay away from William J. Spak, a Podiatrist (not a Medical Doctor!!!) Because of him, I have had 4 corrective surgeries and am still in pain due to the negligence for which he was found guilty of. He never had an assistant surgeon for this complex surgery; he failed to review a post op Xray or he would have seen a quarter size metal washer still in my ankle. Find another
foot specialist. Find an Ortho MD, a "real doctor". A DPM Podistrist never went to Medical School. They are no more of a doctor than a Chiropractor. If you'd let a Chiropractor do surgery on you, then William Spak is your man.

UlfMattsson says:

23 October 2013
The question about “which types of organizations patrons would stop doing business with if their personal data were compromised” is increasingly important. The standard answer after many of the recent data breaches is that "we have reset all passwords". My big concern is what an attacker can do even with a minimal amount of your "personal data". That data could be enough to get them started down the path of stealing your identity.

I think that "personal information" should be properly protected with modern data security approaches. I think organisations today should assume that attackers already penetrated their networks and user accounts.

Best practice currently is that sensitive data should be protected at rest and in transit. The increasing amount of sensitive data in cloud environments and on Big Data platforms is an increasingly attractive target for attackers.

I recently read an interesting study from Aberdeen Group about security-related incidents. The study revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users”. The name of the study is “Tokenization Gets Traction”. Aberdeen has also seen “a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data”.

Ulf Mattsson, CTO Protegrity

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×