Equifax Discloses 2.4 Million More Mega-Breach Victims

Breach Costs Hit $114 Million, But Data Broker Still Sees Profit Rise

Equifax Discloses 2.4 Million More Mega-Breach Victims

Equifax says it identified 2.4 million U.S. consumers whose names and snippets of their driver’s license numbers were stolen, adding to what is one of the largest and most sensitive data breaches on record.

The disclosure came Thursday, the same day Equifax announced a 40 percent rise in profit for the fourth quarter last year compared to the same period a year prior.

Equifax says that its latest breach-related finding came from an ongoing analysis of proprietary company records and information from an “external data provider.”

The number of affected U.S. consumers now totals about 147.9 million, up from 145.5 million. The company says it will notify the victims and offer them prepaid identity theft protection and credit file monitoring services.

Investigation Continues

Equifax offered an explanation for why it is still uncovering victims six months after it first announced the breach on Sept. 7, 2017.

The company used Social Security numbers and names as the “key data elements” to figure out who was affected. Digital forensics experts had determined that the attackers were “predominantly” focused on stealing those numbers.

The latest group of people had portions of their driver’s license numbers stolen but not at the same time as their Social Security numbers, Equifax says.

For most of the 2.4 million new breach victims, the stolen data did not include addresses, the states that issued their driver’s licenses, or license issue or expiration dates.

Paulino do Rego Barros Jr., Equifax’s interim CEO, claims his company’s latest disclosure “is not about newly discovered stolen data.”

Instead, it appears that Equifax is still trying to get to the bottom of everything that attackers may have accessed in the massive data sets that the company knows were exposed. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers and making connections that enabled us to identify additional individuals,” he says.

Congressional Questions

No information has been released on who attacked Equifax. But the company admitted that it failed to quickly patch a known vulnerability in one of its installations of Apache Struts, a web application development framework (see Equifax’s Colossal Error: Not Patching Apache Struts Flaw).

Attackers accessed names, addresses, Social Security numbers and in some cases, driver’s license numbers. The breach also exposed credit card numbers for 209,000 U.S. consumers and credit dispute documentation for 182,000.

“Equifax needs to put consumers first and shouldn’t be trying to clean up its mess in a piecemeal fashion.”
—Sen. John Thune

U.K. and Canadian consumers were also affected, but in a much lower volume than in the U.S., where personal data for most adults was exposed.

Equifax is facing a range of class-action lawsuits, probes by regulators and continuing questions from the U.S. Congress. And the reaction to the company’s latest disclosure was unsparing.

The U.S. Senate Committee on Commerce, Science and Transportation plans to query Equifax for more information related to the latest disclosure, says Sen. John Thune, R-S.D., chairman of the committee.

“The company knew the incident affected nearly the entire population of credit-active consumers in the United States and had every reason to believe this number could grow,” Thune says. “Equifax needs to put consumers first and shouldn’t be trying to clean up its mess in a piecemeal fashion.”

Money Rolling In

On Thursday, Equifax said that through Dec. 31, the breach had cost the company $114 million after insurance reimbursements, according to an 8-K filing with the U.S. Securities and Exchange Commission.

(Source: Equifax)

Of the $114 million, $64.6 million was spent on product costs and consumer support, including its offer of prepaid credit monitoring and identity theft protection services to U.S. consumers, using Equifax’s own services. The company also spent $99.4 million on professional fees.

Equifax received $50 million from insurance payouts.

Despite the breach, Equifax did well for its fourth quarter of last year. Revenue was $838.5 million, up 5 percent over the fourth quarter of 2016. Net income was $172.3 million, an increase of 40 percent from the same period a year prior.

Equifax reaped a reward from President Donald Trump’s tax cuts. The company says it gained a net tax benefit of $48.3 million in the fourth quarter from the Tax Cuts and Job Acts of 2017.

US Data Breaches Hit All-Time High

Millions of Payment Cards and Social Security Numbers Exposed 

US Data Breaches Hit All-Time High
Data breaches by attack type. (Source: Identity Theft Resource Center)

What do AetnaAnthemChipotleDow JonesEquifaxForever 21Hyatt HotelsKmartSabreTrump HotelsVeriFoneVerizon and Whole Foods Market have in common?

All suffered and disclosed a data breach in 2017. And they weren’t the only ones.

In fact, the Identity Theft Resource Center, a U.S. non-profit organization set up to help ID theft victims, reports that in 2017, the number of U.S. data breaches reached an all-time high.

Source: ITRC

In 2017, ITRC counted 1,579 U.S. breaches, up 45 percent from 2016. That doesn’t reflect every U.S. data breach last year. Rather, it’s a count based on the data breach notifications that an organization is legally required to issue to authorities or residents of most states, if it suspects that their personal details may have been exposed (see Health Data Breach Tally Update: A Puzzling Omission).

Source: ITRC

Hardest Hit: Business Sector

A new report from ITRC, sponsored by identity theft monitoring service CyberScout, finds that out of all 1,579 breaches, most hit the business sector:

  • Business: 55 percent;
  • Medical/healthcare: 24 percent;
  • Banking/credit/financial: 9 percent;
  • Education: 8 percent;
  • Government/military: 5 percent.

Of the 179 million records exposed last year, nearly 158 million were Social Security numbers, accounting for 88 percent of all exposed records, according to ITRC. Nearly 20 percent of breaches resulted in credit and debit card information being exposed.

Source: ITRC

Top Breach Vector: Hacking

Most breaches were the result of hack attacks, ITRC’s research determined.

Here’s a breakdown of how information got exposed in 2017:

  • Hacking: 60 percent, including phishing (21 percent), malware/ransomware (12 percent) and skimming (2 percent);
  • Unauthorized access: 11 percent; ITRC says this category involves “some kind of access to the data but the publicly available breach notification letters do not explicitly include the term hacking”;
  • Employee error, negligence, improper disposal or loss: 10 percent;
  • Subcontractor, third party or business associate: 8 percent;
  • Accidental exposure: 6 percent;
  • Insider theft: 5 percent;
  • Physical theft: 5 percent;
  • Data on the move: 2 percent.

Source: ITRC

Caveat: 37 percent of breach notifications fail to quantify the number of records – such as Social Security numbers and payment card data – that was exposed, ITRC reports.

Still, that’s an improvement from previous years, Eva Velasquez, ITRC’s president and CEO tells Information Security Media Group. “It is getting better,” she says. “We’re seeing more transparency from companies, including the actual number of records impacted.” In 2017, 13.7 percent more organizations released such information than did so in 2016.

More Information: Better

In general, releasing more details to victims is always better. “Understanding the type of personal information that has been exposed is absolutely critical for affected consumers,” says Karen Barney, the ITRC’s director of program support (see Data Breach Notifications: What’s Optimal Timing?).

“While a Social Security number continues to be the most valuable piece of information in the hands of a thief, even the exposure of emails, passwords or usernames can be problematic as this information often plays a role in hacking and phishing attacks,” Barney says.

$3.5 Million Penalty for Five Small 2012 Breaches

Fresenius Medical Care North America Agrees to HIPAA Settlement 

$3.5 Million Penalty for Five Small 2012 Breaches

In one of the largest HIPAA settlements ever, federal regulators have signed a $3.5 million settlement with a Massachusetts-based healthcare organization that reported five small health data breaches in 2012 involving lost or stolen unencrypted computing devices.

See Also: Ransomware: The Look at Future Trends

The breaches, which affected a total of about 521 individuals, were all reported to federal regulators on Jan. 21, 2013, by Waltham, Mass.-based Fresenius Medical Care North America. While breaches impacting 500 or more individuals must be reported to the Department of Health and Human Services within 60 days of discovery, breaches affecting fewer than 500 individuals must be reported annually.

Data exposed in the breaches included patient names, addresses, dates of birth, telephone numbers, insurance information, and, in some cases, Social Security numbers.

5 Largest HIPAA Penalties

Organization Penalty
Advocate Health Care Network $5.55 million
Memorial Healthcare System $5.5 million
New York-Presbyterian Hospital and Columbia University $4.8 million
Cignet Health of Prince George County $4.3 million
Fresenius Medical Care North America $3.5 million

(Note: All were HIPAA settlements except Cignet Health, which was a civil monetary penalty. Source: HHS)

FMCNA is a provider of products and services for people with chronic kidney failure; it has over 60,000 employees who serve over 170,000 patients. FMCNA’s network comprises dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers.

FMCNA was cited for a lack of a risk analysis, a common theme in the OCR’s HIPAA enforcement activities.

“OCR’s investigation revealed FMCNA … failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI,” the agency notes in the statement. “FMCNA … impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the HIPAA Privacy Rule.”

Small Breaches, Big Penalty

The settlement is particularly notable because it shows that it does not take a breach that affects millions to get OCR’s attention, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.

“And just as we have seen in other OCR enforcement actions … an information security incident that results in a breach is seen to be a symptom of larger issues that indicate general failures to have appropriate safeguards in place,” he says.

“Just as there were common threads into how the incidents occurred, OCR found a systemic failure across Fresenius in which there had been a lack of attention to putting into place basic safeguards electronic protected health information. Not only had FMCNA not conducted organizationwide information security risk analysis and risk management plans to address the vulnerabilities found by the assessment, there was a general lack of attention paid to protecting work stations and portable devices on which PHI was stored.”

While the provisions of a corrective action plan FMCNA agreed to carry out require taking action at only the five health centers that experienced breaches, Holtzman says it’s likely that the organization “will use this as a wake-up call to implement organizationwide changes into how it manages and safeguards its information system assets and protected health information.”

Five Breaches

The five breaches at the center of the settlement include these incidents:

  • On Feb. 23, 2012, two unencrypted desktop computers were stolen during a break-in at Fresenius Medical Care Duval, in Jacksonville, Florida. One of the computers contained the electronic protected health information of 200 individuals.
  • On April 3, 2012, an unencrypted USB drive, containing information on 245 individuals, was stolen from a workforce member’s car while it was parked in the lot at the Fresenius Medical Care Magnolia Grove facility in Semmes, Alabama.
  • On June 18, 2012, the FMCNA compliance line received an anonymous report that a hard drive from a desktop computer, which had been taken out of service to be replaced, was missing on April 6, 2012, from the Fresenius Medical Care Ak-Chin facility in Maricopa, Arizona. The workforce member whose hard drive, containing information on 35 individuals, was missing promptly notified the area manager, but the manager failed to report the incident to FMCNA’s corporate risk management department.
  • On June 16, 2012, an unencrypted laptop of a staff member at Fresenius Vascular Care in Augusta, Georgia, was stolen from her car while parked overnight at her home, where it was stored in a bag with a list of her passwords. The laptop contained the ePHI of 10 individuals.
  • On or around June 17-18, 2012, three desktop computers and one encrypted laptop were stolen from an FMC location in Blue Island, Illinois. One of the desktop computers contained the ePHI of 31 individuals.

Other Cases

The OCR settlement with FMNCA is the first for 2018, and one of only a handful of HIPAA enforcement actions handed down since the Trump administration took office a year ago.

In December, a federal bankruptcy court approved a $2.3 million settlement between OCR and bankrupt cancer care clinic chain, 21st Century Oncology pertaining to a 2015 cyberattack that impacted 2.2 million individuals. The payment was to be made by 21st Century Oncology’s cyber insurer, Beazley Group (see Bankrupt Cancer Clinic Chain’s Insurer to Cover Breach Fine).

In May 2017, OCR signed a $387,000 settlement with St. Luke’s-Roosevelt Hospital Center in New York to settle a case involving “careless handling of HIV information” for two patients (see Big Settlement in Privacy Case Involving 2 Patients’ HIV Data).

According to the resolution agreement, as part of a corrective action plan, FMCNA has also agreed to:

  • Conduct a risk analysis;
  • Develop and implement a risk management plan;
  • Implement a process for evaluating environmental and operational changes;
  • Develop a report regarding FMCNA’s implementation of encryption;
  • Review and revise policies and procedures on device and media controls;
  • Review and revise policies and procedures on facility access controls;
  • Develop an enhanced privacy and security awareness training program.

In a statement provided to Information Security Media Group, FMCNA says it takes the protection of patients’ health information “very seriously.”

FMCNA says the settlement with HHS OCR resolves “alleged HIPAA violations stemming from incidents that occurred in 2012, most of which involved theft of company computers and equipment. The settlement is not an admission that we violated HIPAA, and there is no evidence that any of our patients’ health information was improperly accessed or misused. We have and will continue to take additional steps to protect patient data. We strive to enhance security, better train staff and reduce incidence of equipment theft.”