The Usual Playbook.

On September 3, 2024, I was notified by Change Healthcare (CH) that my data could have been stolen. In other words, I probably had not been protected. The letter can be summarized as follows:

1. Cybercriminals penetrated CH's data base,
2. CH hired a "special" team to examine the breach and
3. CH discovered that an individual's stolen data might include, but was not limited to, billing, insurance, and claim data, health data, health insurance data, Social Security number, driver's license number, and other ID numbers.

The good news is that the company acted. It notified law enforcement, strengthened its systems even more (The company added, "We do not want this to happen again."), and offered free credit monitoring service and insurance coverage for two years. I was puzzled by some of this.

First, the data is gone. I doubt that notifying law enforcement can get my data back, stop cybercriminals from putting it on the "dark web," or result in the culprits being apprehended. Of course, notifying the authorities was required.

Second, why weren't the systems made stronger before the breach?

Third, I have had four free credit monitoring services. Will one more matter? The company provides some identity theft insurance during the two years. (For insurance geeks, it is not clear if the coverage is on an occurrence or a claims-made basis.) This coverage overlaps with the other identity theft insurance coverage I already have with the same credit rating agencies. I am not sure if the coverages are layered on top of each other or if I only get one limit.

Of course, the company advised me to watch for any changes in inappropriate credit activity and to notify law enforcement if any criminal activities take place. Will it do me any good to notify law enforcement? After all, my complaint would be lumped in with millions of others. I doubt law enforcement is going to pay attention to my claim.

Dark Web.

While this information from CH was unsettling, it was not as bad as the information provided by credit rating agencies shortly after I received this letter. Two agencies told me my address, Social Security number, email, phone number, name, and date of birth, among other pieces of data, were now on the dark web. I'm not sure how all this information got there suddenly.

In fairness to CH, many large companies have had their data systems breached. I am not sure if this means the cyber criminals are brilliant or businesses are slack in protecting customers. Maybe both. I sometimes wonder if enterprises work on the "It is going to happen" paradigm. They assume they will be hacked and only prepare for handling the results of a hack. Treating the results of a data breach is probably less expensive than spending money to enhance security. Since hacking is so pervasive, companies can get away with ignoring data breach risks. Yes, there are costs associated with a data breach, but very few of those costs go to making customers whole for the financial damage that can be done but which may not be discovered for years.

There is no doubt that a person must keep their digital data safe to avoid emotional stress and asset loss, but how does an individual protect this type of property? How can we be made whole for the damage that has been done? How can future breaches be stopped?

Making Customers Whole.

The current reparations system does not make consumers whole. Providing limited free credit rating services, including limited insurance coverage, and making positive innuendos about enhancing systems are not equivalent to compensation.

Many years ago, I wrote a piece on class actions. In the blog, I recounted a dinner with F. Lee Bailey when he was in his prime. During the dinner, he opined that he wanted to start a class action against the world. A frivolous concept, I thought. What negligent act(s) has the world committed?

Now, I am not sure it was a frivolous idea. I may have a partial answer to the viability of this idea, at least for those living in the United States. The only way to seek relief for those injured when their data is not protected is to file a class action against all the companies that have failed to protect their customers' data. The potential plaintiffs would be many of the consumers in the country who get health services, use credit cards, debit cards, or checks, have an investment account, or use the Internet. I am not sure who the defendants would be. Where is a national plaintiffs' law firm when you need one?

I should add that Mr. Bailey did not want to represent the plaintiffs. His position was well thought out. He contended that litigation involving the world would take so long that the plaintiffs' lawyers would not live long enough to get paid their contingency fee. Instead, he wanted to be part of the defense team since those lawyers get paid by the hour. He was probably prescient. After all, the type of class action I am suggesting could take decades at best. Most of us would be deceased long before the companies who did not protect our data were taken to task.

Avoiding Future Breaches

Governmental oversight: There are two ways to handle the problem in the future. One is to let government retain all databases; the other is to use AI more effectively. Government retention of data seems reasonable since the government already handles so much of our data. For my liberal friends, this might be appealing; you like governmental intervention. For my conservative friends, this might be viewed as catastrophic; you would scream, "Governments do not do anything right"--an exaggeration. However, I doubt governments could do a better job of protecting data. After all, the cybercriminals are really smart.

Relying on AI: Now to the use of AI. When I was twelve, my father got me a Social Security card with my number. I still have the card stuck away in some forlorn storage nook. I treasure that card. Somehow, it gave me a sense I was growing up. However, today, I am concerned someone will use my data, like the Social Security number that appears on the treasured card, to harm me financially or hurt my reputation; I need a new system to protect me. I may need to forget the cherished Social Security card memento. Now to how AI can help.

There are two ways AI may help protect consumers. One is for the federal government to use AI to generate a new Social Security number (or other pertinent data) for me every day. I would access it using biometric applications. This would help to protect me against cybercriminals. There would be no point in stealing my data because it would continually change. While there are severe programming complications to using this approach, it could make life easier for me. (A prototype program is already in place in our everyday activities.) Cybercriminals probably would find a way around AI-generated numbers; after all, they have all the time in the world, they are pretty smart, and in some cases have extensive funding from bad governmental actors.

A second way AI could help is by assisting in writing programs. AI could enhance the development of database software that is not easily hacked. Of course, there is the yin and yang problem. AI can help write programs that may be harder to hack, but cybercriminals can also use AI to hack programs written by AI. I'm not too fond of circular logic.

Realistically, there is no way we can protect ourselves. Data theft is a gift of our digital age that keeps on giving. Since the federal government reimburses citizens for many types of losses, maybe it is time for the government to provide lifetime free credit monitoring and identity theft services (including insurance) for every citizen.

Picture by Vecteezy.com.

If you have not read the blog that describes the "However View," click here.