The following is written by Marion K. Jenkins, PhD, FHIMSS, founder and CEO of QSE Technologies.
Chances are in the last week or so you have received an e-mail notification from a bank or a merchant alerting you to a data breach. You may get many of these, which you typically (or should typically) ignore.
However, you should pay attention to this episode because it involves a large e-mail marketing company named Epsilon, which has thousands of business customers, including some of America's largest banks and retailers. Recently its customer database was hacked, and the effect could easily impact you, your employees and your patients. (Read the CBS News coverage of the breach here.)
Apparently Epsilon's database contained no vital information such as social security numbers, bank account info or physical addresses. However, it is still a significant issue because the breach could involve tens of millions of consumers — Epsilon has thousands of corporate customers, including such household names as BestBuy, Citi and JPMorgan/Chase, each with thousands or even millions of customers. In addition, since Epsilon is an e-mail marketer sending out a reported 40 billion e-mails a year on behalf of its business clients — and their customers — the database contained very accurate and up to date e-mail addresses.
The biggest risk from this breach is so-called "spear-phishing" attacks. If a hacker knows you have a business relationship with a specific retailer or bank, they can send you a specific, targeted e-mail designed to look like a legitimate business with which you have a known relationship. Perhaps they will ask you to confirm a recent transaction, update a hotel reservation or that an item you recently ordered is now available. This increases the chances exponentially that you will respond to such an e-mail and reveal banking or other information.
In addition, you have probably seen many e-mails that supposedly alert you to some security breach with an account or service. You are likely to get a bunch of these from the Epsilon breach; we know people who received several such notifications within the first few hours. Those random "security breach" e-mails may do more damage now since it is known there are a lot of legitimate security breach notifications going out.
So here are some important do's and don'ts; they are good medicine even outside of this particular episode:
- Do not respond to any e-mail requests for information, even if it's a business you recognize.
- Do not click on any links embedded in an e-mail. If you get an e-mail saying your account with a merchant or bank has been breached, go to that website manually through a web browser, not by clicking on links.
- Do not fill out any online forms you get in an e-mail.
- Do not download any e-mail attachments.
- Always check your credit card and merchant statements for unauthorized or unusual transactions.
- Sign up for a credit monitoring/identity theft prevention service (and watch out as some of these are actually identity-theft scams).
- If you suspect your account has been compromised, you should change your password on that account (and, if you are like most people and use the same password on multiple accounts, you should change all your passwords. For more information on this topic, you can e-mail me at marion.jenkins@qsetech.com for a list of "Ten Commandments of Passwords.")
Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com or contact Marion at marion.jenkins@qsetech.com.
Read more from Marion Jenkins:
- Patients Want to Communicate With Their Providers Online: An Opportunity for Surgery Centers
- Did You Get Your Free iPad Yet: Social Networking Still Represents Risks for Surgery Centers
- Critical Surgery Center Advice: Work to Prevent User-Enabled HIPAA Data Breaches