Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Will ID Protection Offer Set New Standard?
Assessing Whether Others Will Be Influenced by BCBS OfferBlue Cross Blue Shield plans' groundbreaking offer, in the wake of mega-breaches, of extended ID protection to all of the more than 106 million individuals covered by their insurance could set new expectations for breach response, some security experts predict.
See Also: Gartner Market Guide for DFIR Retainer Services
In the aftermath of a breach, compromised companies often offer free credit monitoring and identity fraud protection services for a limited period of time, generally a year or two. That's why the July 14 announcement by the Blue Cross Blue Shield Association that each of its 36 affiliated Blues plans will begin offering free identity protection services to their members for as long as they're enrolled in the plans' insurance coverage is extraordinary.
Unprecedented Offer
"While this news seems unprecedented because this may be the first and largest such offering, in our 'Internet of Things' future, including the healthcare industry, something like this may eventually become standard business operations," says Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance.
The ID protection services, which will include credit monitoring as well as fraud detection and resolution, are being offered by all Blues plans, including those that weren't the direct target of hacker attacks that compromised systems at Anthem Inc., which resulted in a breach impacting more than 79 million individuals; Premera Blue Cross, which affected about 11 million; and CareFirst Blue Cross Blue Shield, which impacted 1.1 million.
All the Blues plans are offering the ID protection coverage, however, because of the far-reaching impact of those hacker attacks.
For example, Anthem has said it was also storing data for many members of other Blue Cross and Blue Shield plans.
Too Good to Be True?
Although details of the extraordinary offer are still being worked out, the association says the ID protection services will be made available no later than Jan. 1, 2016. Individual plans will be reaching out to members, who can opt in to sign up for the services, a BCBSA spokeswoman tells Information Security Media Group. Certain exceptions may apply, for instance, if an employer decides to opt out of the offering from a Blues plan, she said.
Not everyone is convinced, however, that the offer by the Blues plans is overly generous.
"This offer raises lots of issues because it requires the data breach victim to affirmatively 'opt in' - they aren't automatically included, and it only lasts as long as you are insured by Blue Cross," says attorney Lynn Toops of the Indiana law firm Cohen & Malad LLP, which is representing plaintiffs in one of the many class action lawsuits filed against Anthem in the aftermath of the data breach.
The offer from the Blues plans "doesn't appear to address identity theft already suffered and the money paid to the Blue Cross/Blue Shield entities that wasn't used to secure the data in the first place, and we have heard reports that individuals are having issues with the two-year credit monitoring [already] offered by Anthem," she tells ISMG. "It is also yet to be seen whether the cost of these services will be passed on to customers by way of higher premiums."
An Example for Others?
Nonetheless, the offer by the Blues plans for extended credit protection for its enrollees is likely to make the offers by other breached organizations for the typical one or two years of credit monitoring seem paltry by comparison. Still, other breached entities will need to carefully evaluate whether they should follow the Blues plans' lead, Patterson says.
"The ability of companies who've experienced data breaches to assume the costs of this type of offer for perpetual or long-term credit monitoring will obviously need to fit into their operating budget," she says. "Many healthcare providers - such as hospital systems, private practice practitioners and health payers/plans - are not-for-profit. The financial operating model to offer these types of 'administrative' services to patients or plan members will need to be carefully evaluated."
Also, the offering of potentially expensive ID protection services to members could present health plans with various regulatory conflicts, Patterson says. For instance, certain federal regulations put limits on insurers' administrative costs "in order to ensure most of our premium dollars are spent toward quality patient care," she notes.
While the experts say they are not privy to the kind of arrangements the Blues plans have made with vendors to offer the credit monitoring services, commercial off-the-shelf prices often range from $10 per month per person to twice that amount, Patterson says. "When my previous employer offered credit monitoring services to employees - as a standing benefit, not as a result of a data breach - I believe they were able to contract a lower rate per individual account - a 'bulk' rate, so to speak," she says.
Higher Expectations?
Privacy attorney Adam Greene of the law firm David Wright Tremaine also believes that the offer from the Blues plans could raise consumer expectations of post-breach ID protection coverage. But other organizations that have been breached will need to carefully assess the pros and cons of following the Blues plans' lead.
Long-lasting protection plans "are likely too pricey for healthcare providers to offer, especially as it could leave them providing identity theft protection indefinitely to patients who never receive services from them again," Greene says. "The BCBSA plans do not have a similar issue as they appear to be extending the offer only so long as the individual is a BCBSA member."
As for individuals affected by breaches, "I don't see a downside to having too much credit/fraud monitoring, but consumers do need to remain vigilant as the monitoring tools may provide alerts that the consumer must review," Greene says. "Sometimes the consumer will receive an alert that is a false positive, such as when a consumer moves and has to change addresses and open up new accounts. It can become easy to start ignoring the fraud alerts, which may lead to the consumer failing to take action when an alert identifies real identity theft issues."
Also, while many more consumers will now be protected by identity theft protection services as a result of the Blues plans' offer, this will not let other companies "off the hook" for offering credit monitoring in the wake of their own breaches, Greene says. "They cannot assume that all of their affected individuals are receiving identity theft protection elsewhere. And at least one state, California, requires that a minimum level of identity theft protection must be provided, although whether this requirement is applicable to HIPAA covered entities is not entirely clear."
Larry Ponemon, founder of Ponemon Institute, which conducts research into the costs of data breaches, contends that the offer by Blues plans for perpetual ID protection could prove to be "disruptive to the whole ID security marketplace." That's because if the Blues plans end up offering "watered down" ID protection that potentially lasts indefinitely for members, other breached companies could follow suit, he says. And that could potentially lower the standard of ID protection that consumers expect for free.