They know lots about us. They know lots about us just by asking us, who knows what other data about us they routinely buy?
The BBC reported on yet another successful attack on a US health insurer (CareFirst) in which 1.1 million customer records were stolen. It’s peanuts compared to previous attacks on Blue Cross (probably not the UK pet rescue charity of the same name), which lost 11m and Anthem, which lost 80m.
The CareFirst database accessed included member names, birth dates, email addresses and identification numbers.
It did not include social security numbers, medical claims, employment , credit card or financial information, the company said.
But let’s be cynical. Data about medical history is not mentioned. I feel fairly justified in assuming that stated medical conditions, medication and treatment taken, drinking and smoking habits, weight, occupation etc. might have been among the stolen data. And “identification numbers” is terrifyingly vague. Identifying of what?
"We deeply regret the concern this attack may cause," CareFirst chief executive Chet Burrell said.
They regret the concern, but not the actual harm?
"We are making sure those affected understand the extent of the attack - and what information was and was not affected."
And that still won’t help their customers understand what new threats they face. It doesn’t tell them what – if anything – they can do to mitigate risk and minimise damage.
We have to force companies to be more open about and responsible for the data they harvest about us.
One more thing:
The breach took place in June last year but was only recently discovered.
Discovered by CareFirst? Or discovered by someone else, forcing CareFirst to finally admit it? Either way, their customers’ data has been out in the wild for a year without their knowing.