Checklist 398: The More Things Change…
Data Breach Fuels Credit Freeze Discussions Amidst Change Healthcare Hack
Following a significant data breach impacting millions, a renewed call to action encourages consumers to consider implementing credit freezes for added security. The recent cyberattack on Change Healthcare has exposed sensitive personal information, reigniting concerns about data protection and fraud prevention measures.
The Breach and What Was Exposed
In June 2024, Change Healthcare fell victim to a cyberattack, where a cybercriminal accessed their system using stolen credentials. Notably, Krebs on Security reported that Change Healthcare did not implement multi-factor authentication (MFA) on a Citrix portal that enabled remote access, a lack of security that has intensified scrutiny around the company’s data protection practices. The breach compromised various types of sensitive information, including health insurance data, personal health details, and financial records, in addition to highly sensitive personal identifiers like Social Security numbers and driver’s license information. Over 100 million individuals were affected, leading to widespread exposure of private data.
The Role of Credit Freezes in Safeguarding Personal Information
Given the breach’s severity, consumers are being advised to consider a credit freeze to protect themselves. A credit freeze, also known as a security freeze, restricts creditors from accessing an individual’s credit report, thus blocking any unauthorized attempts to open new lines of credit. According to USA.gov, consumers can lift these freezes as needed, temporarily or permanently, depending on the situation.
Credit freezes, however, are often underused due to misconceptions or fear of accessibility issues. Yet, recent breaches—such as the one involving Change Healthcare and another with National Public Data—underscore the urgency of personal data protection in an era where information can be bought and sold through data brokers or exploited following security lapses.
The Implications for Consumers and the Role of Data Brokers
The hack has also sparked discussion around data brokers who collect and sell personal information. Data brokers, frequently associated with data breaches or unauthorized data purchases, are significant players in the data market, making consumer information readily available to those willing to pay for it. Both the National Public Data breach and the Change Healthcare breach have highlighted this troubling reality, leading consumers to question who holds and protects their information.
As data breaches continue to expose personal information, experts advise consumers to proactively secure their credit profiles by enacting a credit freeze. While often perceived as a drastic measure, it remains a powerful tool in an environment where sensitive data is increasingly at risk. The Change Healthcare incident serves as a sobering reminder of the importance of both personal and institutional vigilance in data security.
Sources: Krebs on Security, USA.gov
Change Healthcare’s Response to Data Breach: Free Credit Monitoring and Calls for Consumer Security Freezes
Following the data breach at Change Healthcare, the company has announced its response, including offering affected consumers two years of free credit monitoring and identity theft protection. Security experts are urging consumers to freeze their credit files as an additional protective measure.
Change Healthcare’s Response to the Breach
In the wake of the breach, Change Healthcare notified affected customers that it has contacted law enforcement and strengthened its computer systems. Acknowledging the severity of the breach, the company is covering two years of credit monitoring and identity theft protection services for impacted individuals.
While the two-year offer is a start, some consumers argue that lifetime protection should be provided, given the lasting impact of exposed information like Social Security numbers and birth dates. However, cybersecurity expert Brian Krebs warns that relying solely on credit monitoring may not be enough. With the exposed data, identity thieves could still misuse information to open fraudulent accounts.
Security Freezes: A Necessary Step for Protection
According to Krebs, freezing credit files is a stronger measure than monitoring alone, blocking creditors from accessing an individual’s report and deterring potential identity theft. Freezing credit with the three major bureaus—Experian, Equifax, and TransUnion—can now be done easily and is free for all Americans. Krebs emphasizes that freezing existing accounts doesn’t affect current credit card or bank account usage and is as straightforward as completing a request online, by phone, or by mail.
Consumers are also advised to avoid opting for credit lock services instead of freezes. Credit bureaus often promote credit locks, which allow them to continue sharing data with select partners, whereas freezes completely block unauthorized access.
Two-Factor Authentication: Steps Toward Security
Change Healthcare has implemented two-factor authentication (2FA) for its free credit monitoring accounts, although it is limited to one-time codes sent via SMS or email. Krebs notes that while SMS-based 2FA provides some protection, it lacks the security level of more advanced options like code generators or biometrics.
Ongoing Monitoring: A Best Practice
To guard against fraud that may have occurred before placing freezes, consumers are urged to review their credit files regularly. Federal law entitles everyone to one free credit report per year from each bureau, but a recent Federal Trade Commission program extension now allows free weekly reports.
In the wake of Change Healthcare’s data breach, affected individuals should consider a credit freeze as a robust defense against identity theft. Though Change Healthcare has offered credit monitoring, security experts underscore the importance of additional, proactive security measures. With consumer data increasingly at risk, regular monitoring and freezing credit are becoming essential steps in personal data security.
Sources: Krebs on Security, Federal Trade Commission (FTC)
