Share

Related Stories

  • Data Breach at Royal Vet College Prompts ICO BYOD Warning
    In the wake of a data breach at the Royal Veterinary College, the UK’s Information Commissioner’s Office (ICO) is warning organizations they must make sure that their data protection policies reflect how the modern workforce are using personal devices for work.
  • Insider-led Data Breaches Drive a Need for Holistic Defense Frameworks
    Despite the ongoing, headline-grabbing news that international spies are always trying to breach the cyber-castle walls at government agencies and businesses, it turns out that internal threats are the biggest cause of data breaches, according to new research. Industry experts say that’s no surprise – and are urging considered approaches to the issue.
  • Massive Data Breach Hits Millions of Vodafone Germany Customers
    One of the world’s largest corporations has been hit with a widespread data breach: Vodafone Germany said that personal information on more than two million mobile phone customers has been stolen, possibly by a company insider.
  • Citi Ordered to Pay $55K to Connecticut over 2011 Data Breach
    The state of Connecticut has slapped Citi with a $55,000 settlement over a 2011 data breach that resulted in hackers gaining access to names, account numbers and e-mail addresses belonging to around 360,000 Citi North American credit card customers.
  • Most Organizations Don't Assess Time to Incident Detection as Key Security Metric
    When it comes to risk-based security and compliance management, IT security managers rely on a set of security metrics to gauge the effectiveness of their organizations’ overall security efforts. For most, those include: time taken to patch, policy violations, uninfected endpoints, data breaches, reduction in the cost of security, end users training and reduction in unplanned system downtime. But according to a survey from the Ponemon Institute, a full 83% don’t assess time taken to detect security incidents.

Top 5 Stories

News

Consumers Take Their Business Elsewhere After a Data Breach

22 October 2013

The costs of data breaches have been well-documented when it comes to remediation and consulting costs, but the more qualitative fallout from a breach, like the impact to brand identity, is harder to pin down.

But a new survey reveals that two-thirds of US adults would not return to a business if their personal information were stolen – and provides insight into what types of businesses consumers would most likely stop patronizing if their confidential information was stolen.

“With every data breach comes a cost, including lost productivity, a damaged reputation, and most importantly, decreased revenue when customers take their business elsewhere,” said John Otten, marketing manager at Cintas, which commissioned Harris Interactive to carry out the survey. “This research confirms that by failing to make security a priority, businesses can discourage once-loyal customers from returning. It could also stop potential customers from ever patronizing your business.”

When asked which types of organizations patrons would stop doing business with if their personal data were compromised, respondents named banking, healthcare and lawyers as being under the most scrutiny. More than half (55%) said that they would change banks, which is no surprise. And 39% said that they would get a new lawyer. But healthcare is really under the gun for consumers, likely because of the sensitive nature of the personal information that could be compromised: 46% said that they would switch insurance companies, 42% would go to a different drug store/pharmacy and 40% would get a new doctor or dentist. A full 35% said that they would not return to their hospital.

Charitable giving was another at-risk area for brand impact after a breach. Consumers want to know their money is safe and going to where it is intended when they give to a cause. Accordingly, 38% said they would donate to a different charity/non-profit organization, while 24% said that they would no longer donate to their alma mater or another educational institution they attended in the event of a breach.

The survey comes as data breaches continue to be reported, and are being perpetrated via a number of vectors. And yet, organizations’ responses persist in their lack of brand-equity damage control. For instance, 729,000 patients’ data may have been compromised after two password-protected laptops were stolen on October 12 from Alhambra Hospital Medical Center (AHMC) in Alhambra, Calif. The laptops had been guarded and gated by a security team with video surveillance, but the thieves made off with them anyway.

The Los Angeles Times reported that the breach included patient Social Security numbers as well as their names, Medicare/insurance identification numbers, diagnosis/procedure codes and insurance/patient payments.

The breach affects AHMC patients that were treated at Garfield Medical Center, Monterey Park Hospital, Greater El Monte Community Hospital, Whittier Hospital Medical Center, San Gabriel Valley Medical Center and Anaheim Regional Medical Center. “We regret any inconvenience or concern this incident may cause our patients,” AHMC said – which, given the survey results, is unlikely to cut it with its consumers.

Meanwhile, a former Broward Health Medical Center employee took documents containing the personal information of nearly 1,000 patients from the Fort Lauderdale health system, it said this week. The records contain names, addresses, dates of birth, insurance policy numbers and the reasons for visiting – a potential jackpot for identity thieves.

According to the Sun Sentinel, about 960 patients, treated between October and December 2012 at Broward Health's main facility, are being notified via letters. These simply alert them that their registration documents had been "inappropriately removed."

This article is featured in:
Data Loss  •  Identity and Access Management  •  Industry News

 

Comments

squeezy says:

18 May 2014
St. Joseph's Hospital in Orange, Ca., a huge non profit hospital entertwined with the Catholic Church, gets millions of donations because of their "so called sterling reputation". It's not so sterling after a breach of hundreds of thousands of patients' medical records that contain their most private information. Furthermore, they contract with doctors that have Malpractice "convictions" on their record. St. Joe's won't ever tell you about their Malpractice convicted doctors like William J. Spak, Podiatrist, even though I have corresponded back and forth with Steve Moreux the CEO. Anyone wishing to view the court record can do so at the O.C. Superior Court in Santa Ana, CA. Case #
30-2009-00120955-CU-MM-CJC. Anyone that thinks St. Joe's Hospital is being operated by "saint's" would do better at another hospital. It should be a criminal act for anyone to use the name of a "Saint" to depict your hospital. Total misrepresentation. At the very least, I would highly recommend that you stay away from William J. Spak, a Podiatrist (not a Medical Doctor!!!) Because of him, I have had 4 corrective surgeries and am still in pain due to the negligence for which he was found guilty of. He never had an assistant surgeon for this complex surgery; he failed to review a post op Xray or he would have seen a quarter size metal washer still in my ankle. Find another
foot specialist. Find an Ortho MD, a "real doctor". A DPM Podistrist never went to Medical School. They are no more of a doctor than a Chiropractor. If you'd let a Chiropractor do surgery on you, then William Spak is your man.

UlfMattsson says:

23 October 2013
The question about “which types of organizations patrons would stop doing business with if their personal data were compromised” is increasingly important. The standard answer after many of the recent data breaches is that "we have reset all passwords". My big concern is what an attacker can do even with a minimal amount of your "personal data". That data could be enough to get them started down the path of stealing your identity.

I think that "personal information" should be properly protected with modern data security approaches. I think organisations today should assume that attackers already penetrated their networks and user accounts.

Best practice currently is that sensitive data should be protected at rest and in transit. The increasing amount of sensitive data in cloud environments and on Big Data platforms is an increasingly attractive target for attackers.

I recently read an interesting study from Aberdeen Group about security-related incidents. The study revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users”. The name of the study is “Tokenization Gets Traction”. Aberdeen has also seen “a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data”.

Ulf Mattsson, CTO Protegrity

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×