The Human Impact of a Cyber Attack: What Brands Rarely Consider
by Kenneth Edwards
News flash! Headlines about cyber attacks don’t tell the whole story.
The world is in need of a reminder that the detrimental impacts of cyber attacks are not felt solely by faceless corporate behemoths. Cyber attacks affect real people every day. Yet, the impact on these individuals is rarely our focus. Society — and major media outlets — remain fixated on the consequences for business (e.g., dips in stock price, loss of brand deals or partnerships and leadership changes). But the impact on human lives is often found below the fold, if at all, and rarely brought to light.
In July of this year, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) released a joint Cybersecurity Advisory (CSA) providing information on the Maui ransomware, used by North Korean state-sponsored cyber actors since May 2021, targeting Healthcare and Public Health (HPH) Sector organizations.
Breaches have profound repercussions on the individuals involved, but the impact is even greater when personal health records are involved. According to security firm Sophos, the number of ransomware attacks on healthcare organizations increased 94% from 2021 to 2022. By now we are all familiar with ransomware and its impact on companies. But consider what these attacks mean for patients– whose data is processed, stored, and used for treatments and ongoing care by these healthcare facilities. Without exaggeration, you could make the argument that in no other industry are individuals more vulnerable.
Healthcare is extremely important to individuals across the United States, especially to those of the senior population. Healthcare providers are in a position of trust, and security is equally important to patients– especially seniors. However, many healthcare providers have not prioritized cybersecurity to commensurate with the risk and consumer concern.
When Compromises Become Personal
Recently, my mother was a part of an unfortunate event that affected both her healthcare and security. Like many others, her personal healthcare information was compromised by a third party in a recent data breach. My mother’s experience is going to forever change how she handles her healthcare. She no longer feels comfortable using an online portal to provide banking information or to view her personal medical information. And I completely get it, too.
Being in cybersecurity, my natural instinct was to address the issue, so I took it upon myself to sit down and interview my mother to understand how this affected her personally. My conversation with her went something like this:
[Me:] Before this incident, how much time did you spend thinking about cyber security and how cyber attacks might impact you personally?
[Mom:] I always felt that nothing is ever secure, and because of that, I didn’t give too much thought to cyber attacks and how it would have an impact on me personally. This is similar to watching a major event on the news, and never thinking that it would have an effect on you.
[Me:] What were your initial thoughts and feelings when you read the notification letter?
[Mom:] I felt violated, confused, nervous, and vulnerable. I also considered the possibility that the letter can be a scam itself. I didn’t know anything about PFC, or why they chose to contact me so late. I wish the letter would have come from Kaiser directly. After all, they are the company that I gave my personal information to. This made me feel even more insecure. I felt powerless because you are limited to the fact that you do not have an alternative healthcare provider.
[Me:] Were you aware that PFC had access to your personal data before you received this letter?
[Mom:] I have never heard of PFC, nor was I ever informed of their business relationship with Kaiser. I am sure that this may have been disclosed in the fine print, but I feel that Kaiser has a moral responsibility to inform and confirm that their customers are well aware of these types of business relationships.
[Me:] What are your thoughts on how long it took PFC to inform individuals about the breach? (For reference, the incident happened in February, but the notification came in July.)
[Mom:] To be blunt, it was flat out ridiculous. The fact that an event occurs that prompts me to take action, should be classified as urgent and important. This does not seem to be the case for Kaiser or PFC. Even when the letter came, it was very contradicting. PFC explained that the incident was contained, but also noted that a data breach occurred.
[Me:] Now that this has occurred will you change anything about how you share and secure your personal information?
[Mom:] Since receiving this letter, I have reached out to put a freeze on my credit. PFC offered to provide 1 year of free credit monitoring. This does very little to solve the issue. Rather than pushing you to a third party to monitor your credit by giving them your personal information, they should provide you with informative information. Some suggestions can be things like cybersecurity classes. This would better inform you and give you tools on how you can help protect yourself.
[Me:] Any other thoughts on this incident that you would like to share?
[Mom:] I wish this never happened to me. Moving forward, it will be hard to trust my primary healthcare provider, or any other organization that stores my information.
A Different Perspective on Data Breaches
After hearing my mother talk about this incident, I was able to see her perspective from a demographic point of view. As someone from a different generation, I never really gave much thought to the fact that many of the older population are still in transition, adjusting to an ever-changing digital landscape.
On a professional level, I can easily appreciate the “why” behind Kaiser’s actions, although maybe this could have been prevented if PFC had the necessary controls in place. And maybe my mother would not feel so bad if she was contacted immediately after the breach was discovered. At the end of the day, organizations need to consider the personal impact of events such as this one. After all, the ultimate goal is to give your customers 100% confidence that their information is safe and secure.
Kenneth Edwards is guest writer and assessment coordinator for CyberGRX. He is passionate about cybersecurity and values fairness, privacy, and accountability.
For more on how to manage your cyber reputation, protect your customers, and protect your organization from cyber vulnerabilities, we invite you to book a CyberGRX demo now.