NCL health policy at work
ICYMI: Fifth Annual Spring Membership Meeting
On June 20, NCL hosted the Fifth Annual Spring Membership Meeting of its Health Advisory Council. In light of the ongoing measles outbreak, NCL devoted this meeting to effective vaccine policies to ensure herd immunity. The meeting featured a panel of experts engaged in the issues surrounding immunization.
Panelists included Health Reporter Lena Sun, from the Washington Post; Dr. Melinda Wharton from the Centers for Disease Control and Prevention (CDC); Kim Nelson, founder of South Carolina Parents for Vaccines; and DC-based pediatrician and immunology expert, Dr. Linda Fu of Children’s National Hospital.
The panelists talked about the anti-vaccine and vaccine hesitancy movement and the record number of measles cases in the US, the largest since 1992. Panelists pointed out key differences between vaccine-hesitant and anti-vaccine sentiments and discussed strategies for framing the issue for vaccine-hesitant parents.
Click here for a summary of the panelists’ remarks.
Script Your Future Medication Adherence Team Challenge
In May, NCL concluded the eighth annual Script Your Future Medication Adherence Team Challenge. From January 21 through March 22, inter-professional teams—including student pharmacists, doctors, nurses, and others—implemented outreach activities in their communities to raise awareness and improve understanding about medication adherence, using Script Your Future materials. This year’s winners were Pacific University (OR) and the University of Pittsburgh (PA). Since the Challenge began in 2011, more than 18,800 future health care professionals have directly counseled nearly 78,000 patients and reached more than 26 million consumers about the importance of medication adherence. To read the official press release announcing the winning teams, please click here.
Vaccine advocacy
NCL is a strong supporter of vaccines as extremely safe and effective and has been actively engaged this quarter in educating consumers about the importance of vaccines in protecting themselves, their families, and their communities. NCL issued a statement supporting measures taken by the New York state legislature in eliminating religious exemptions for vaccines. NCL emphasized that non-medical related vaccine exemptions put young children and immunocompromised individuals, who are unable to get vaccinated, at risk for contracting dangerous illnesses
Following the Spring Health Advisory Council Meeting, NCL’s Executive Director Sally Greenberg testified at the June 2019 Advisory Committee on Immunization Practices (ACIP) meeting. Greenberg’s testimony amplified pro-vaccine voices and urged the Committee to maintain its recommendation for the pneumococcal vaccine, PCV13, for adults ages 65+. Greenberg emphasized the critical role that a positive recommendation of this vaccine would have for Medicare coverage, and in turn, its effect on access and implementation among vulnerable populations.
Counterfeit drugs and importation
NCL continues to have a strong focus on counterfeit drugs. On April 22 and April 26, NCL issued statements on drug importation legislation introduced in Florida and Oregon. NCL expressed concern that these bills would open the U.S. market to a flood of counterfeit and substandard drugs, putting patient health and safety at risk. Rather than considering misguided importation proposals, NCL encouraged Congress to strengthen our drug supply chain and pursue other strategies to ensure the affordability and accessibility of safe and effective prescription drugs.
Counterfeit drugs consumer education campaign
NCL’s Health, Fraud, and Communications teams are currently in the process of reviewing content for the Counterfeit Drugs Consumer Education Campaign. We anticipate launching the campaign in the fall of 2019. Please contact Nissa Shaffi at nissas@nclnet.org for information about how your organization can join this resource-rich platform to educate consumers on making smart decisions.
Surprise billing
On May 17, NCL’s Health Policy and Programs Associate, Nissa Shaffi, participated in a Capitol Hill briefing on surprise billing or out-of-network balanced billing, sponsored by America’s Health Insurance Plans (AHIP). The briefing featured a panel of experts from the Brookings Institute, the American Federation of State, County and Municipal Employees, and the American Benefits Council.
NCL provided insight into the consumer perspective regarding surprise billing, urging a multi-stakeholder solution to the growing issue. We urge Congress to act and protect patients from outrageously expensive bills, that have caused consumers to make difficult choices between seeking medical treatment and food or housing.
Reproductive rights
In May, NCL released a statement objecting to bills in six states banning or curtailing the right to abortion thru various means. NCL strongly opposes the proposed measures, as they will undoubtedly endanger women’s lives by restricting their ability to make safe and informed decisions about their bodies. NCL advocates that women should have the right to choose their own reproductive choices in consultation with their healthcare providers.
Health Advisory Council Newsletter | Fall 2019 | New staff Q&A
/byPatricia Kelmar, JD
Director of Health Policy, NCL
We thought you might like to get to know NCL’s new Director of Health Policy, Patricia Kelmar, JD. Nissa Shaffi, NCL’s Health Policy and Program Associate, sat down to interview her.
Q. Can you tell members of the HAC a little about yourself?
A. Prior to joining NCL, I was the Senior Policy Advisor for the New Jersey Health Care Quality Institute, a multi-stakeholder nonprofit committed to improving health care quality and safety, expanding access to care, and controlling costs for employers and consumers. I’ve also consulted with state-based nonprofit consumer advocacy groups, providing health policy analysis, strategic planning, media relations, project development and grant-writing. Prior to consulting, I was AARP New Jersey’s state advocate. I started my career with the Public Interest Research Groups, which taught me the power of organizing, and then I went to George Washington University Law school to learn how to craft policy.
Q. What drew you to NCL?
A. I have dedicated my career to nonprofit advocacy on behalf of consumers in the areas of health care, financial security, and consumer protection. NCL is the nation’s premier consumer advocacy organization and its mission resonated with my desire to amplify consumer voices and continue my work to improve health care and empower patients and consumers.
Q. What is your role at NCL?
A. As the director of health policy, I oversee, coordinate, and set priorities for NCL’s health policy program. I collaborate with our partners, who come from a broad range of healthcare stakeholders–patient advocacy groups, public health organizations, industry and health professional groups, academia, and government officials. I look for opportunities to add the consumer voice to improve access, affordability, and quality.
Q. You’ve been with NCL for two months now. How’s it going?
A. I’m pleased to be working with such a dedicated team of advocates within NCL. And our HAC members and other partners have been tremendously supportive during my onboarding. Just like my work in the states, there’s never a dull moment in healthcare policy in DC — from counterfeit drugs, to vaccines, to price/quality transparency. But I’m optimistic about the role that NCL can play in these and other important issues. It’s clear there is a need for the consumer perspective to be heard, and I’m going to work hard through NCL’s strong reputation to bring that patient/consumer voice into the room when policy is decided.
Q. Tell us something fun about you.
I’ve just moved back to Washington, DC after 20 years. My husband and I are renovating an old house in Alexandria. After a long day of health care policy, I turn to looking at paint chips, carpet samples, and closet layouts. Health policy seems less stressful!
The #DataInsecurity Digest | Issue 103
/byAs fears over foreign election interference grow, Washington remains idle
By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Subscribe here. Tell us what you think.
Editor’s note: Ransomware continues to impact basic services at dozens of local agencies, including hospitals, while Congress appears to be largely sitting on its hands. Microsoft announced that Iranian hackers attempted to hack a major U.S. presidential campaign the same week researchers found U.S. voting machines “incredibly insecure.” In other news, nearly 5 million DoorDash customers, employees, and merchants had sensitive data stolen by hackers.
And now, on to the clips!
—————–
Microsoft: Iranians attempted to hack U.S. presidential campaign. Security researchers at Microsoft found that a hacking group, which “originates from Iran and is linked to the Iranian government,” attempted to breach a presidential campaign and “tried to break into the accounts of current and former U.S. government officials, journalists covering politics and prominent Iranians living outside Iran.” (Source: NPR)
U.S. 2020 voting machines ‘incredibly insecure.’ Security researchers that “tested an array of voting machines and election systems that states plan to use in the next election… were able to crack into every machine they got their hands on. … All it took was a few days of tinkering on machines[.]” (Source: Washington Post)
DHS: No one can prevent another ‘WannaCry-style attack.’ Jeanette Manfra, the assistant director for cybersecurity for DHS’ Cybersecurity and Infrastructure Security Agency (CISA) commented: “I don’t know that we could ever prevent something like that,” referring to another WannaCry-style attack at a recent event. (Source: TechCrunch)
Breach du jour: 4.9 million DoorDash customers, merchants, workers. One year after the food delivery service’s previous breach, DoorDash has found its data compromised by another one. The latest breach allowed hackers to steal users’ “name, email and delivery addresses, order history, phone numbers and hashed and salted passwords[.]” The breach also compromised driver’s license information on “[a]round 100,000 delivery workers[.]” (Source: Tech Crunch)
Data breach used to file bogus anti-net neutrality comments. In the summer of 2017 millions of fake anti-net neutrality comments were filed in the runup to the FCC’s rollback of its 2015 net neutrality rules. News has now come to light that many of these fake comments were made possible because of a data breach. “In one particular group of 1.9 million comments, according to BuzzFeed News’ analysis, 94% of the email addresses belonged to people who had fallen victim to a hack known as the Modern Business Solutions data breach, in which millions of people’s personal information, including full names, birthdates, home addresses, and email addresses, had been stolen.” (Source: Buzzfeed)
Breach du jour part deux: 218 million Words With Friends users. The hackers, who gained access to a trove of user data in September were able to scoop up users’ “email addresses, login IDs, hashed (scrambled) passwords, Zynga account IDs, and in some cases, phone numbers and Facebook IDs.” (Source: Consumer Reports)
Quick hit: Three hospitals close due to ransomware attack. The hospitals are located in Alabama and have asked ambulances to take patients elsewhere whenever possible. (Source: BBC)
As ransomware continues to ravage cities, Washington remains idle. @timstarks observes that while “lawmakers have offered few ideas on how to respond to the wave of ransom-seeking cyberattacks that have struck at least 80 state and local government agencies … Members of Congress have introduced only four pieces of legislation since January that even mention the word ransomware. None would begin to address the full scope of the attacks that experts say will become only more numerous and severe.” (Source: Politico)
National Consumers League
Published October 10, 2019
The #DataInsecurity Digest | Issue 102
/byEcuador leaks personal data for its entire population
By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Subscribe here. Tell us what you think.
Editor’s note: Anger over FTC missteps in the Equifax settlement is growing, with more than 200,000 consumers signing a petition urging the courts to reject the record settlement. As ransomware attacks continue to bedevil companies and governments around the world, many are questioning whether the availability of cyber insurance (which can be used to pay ransoms) may be contributing to the uptick in attacks. In breach news, 20.8 million records from the country of Ecuador, which detailed the entire populations most sensitive data, have been compromised. Back in the United States, FEMA accidentally shared the personal information of 2.5 million disaster survivors, and 5 million medical records were left easily accessible on the web.
And now, on to the clips!
—————–
FEMA accidentally shared personal information of 2.5 million disaster survivors. FEMA admitted that “it unintentionally shared home addresses and banking information with a third-party contractor.” @RaquelMartinTV reports that FEMA is not “sure if anyone’s data has already been compromised.” (Source: NBC4)
Breach du jour: Personal information for the entire country of Ecuador. Records of 20.8 million people were found on an unsecured server in Miami, apparently including the personal data of every citizen of Ecuador. The breach compromised individual names, dates, and places of birth, addresses, marital statuses, educational information, employment statuses and locations, tax information, and bank account data such as users’ balance, financing, and credit information. (Source: Forbes)
Breach du jour part deux: 5 million medical records. “Medical images and health data belonging to millions of Americans, including X-rays, MRIs and CT scans, are sitting unprotected on the internet and available to anyone with basic computer expertise. The records cover more than 5 million patients in the U.S. and millions more around the world.” (Source: ProPublica)
Yahoo! offers breach victims the choice of cash or credit monitoring. Victims who choose the cash option can claim up to $100. “However, actual payouts for all claims could be much lower if the total amount claimed exceeds what’s available from the $117.5 million settlement. The settlement class potentially includes up to 194 million people, so these amounts would be paid in full only if the vast majority of eligible people don’t ask for money.” (Source: Ars Technica)
Quick hit: Congress to advance legislation designed to help cash-strapped state and local governments beef up cybersecurity. (Source: State Scoop)
Cyber insurance blamed for spike in ransomware attacks and payment demands. @katiefoody reports that “some cybersecurity professionals are concerned that insurance policies designed to limit the damage of ransomware attacks might be encouraging hackers, who see insurers covering increasingly large ransoms and choose to target the type of institutions likely to have coverage… . This year alone, the average ransom payment climbed from $12,762 at the end of March to $36,295 by the end of June — a 184% jump.” (Source: Washington Post)
Petition against Equifax breach settlement gains 200k+ signatures. Anger over what many view as a weak FTC settlement with Equifax appears to be growing. “The petition argues that the terms of the deal as presented to the public are misleading and most of the customers affected won’t see any recompense over the breach. With only $31 million actually allocated to fund this portion of the settlement, less than ONE PERCENT (roughly 248 thousand out of over 148 million) could receive this money.” (Source: ThreatPost)
National Consumers League
Published September 26, 2019
The #DataInsecurity Digest | Issue 101
/byGoogle warns of new iPhone hacking scheme while Texas towns continue to struggle with ransomware attack
By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Subscribe here. Tell us what you think.
Editor’s note:As Texas continues to reel from its ransomware attack, Google researchers discovered a massive attempt to hack into consumers’ iPhones via booby trapped websites. Google admitted its own security problems, too, with a vulnerability in its calendar app potentially affecting 1.5 billion users. In other news, Facebook received additional negative headlines after word spread that hundreds of millions of users’ phone numbers were compromised by being stored on an unsecured server.
And now, on to the clips!
—————–
Hackers attempt mass iPhone hack. Google security researchers “discovered a small collection of hacked websites ‘that exploited vulnerabilities in Apple’s smartphone software. ... Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant.” Google estimates that these hacked websites received thousands of visitors each week. @Iyengarish reports that, “the implant was capable of giving hackers access to iPhone users’ contacts, photos and location, as well as data from apps like iMessage, WhatsApp, Telegram, Gmail and Google Hangouts.” (Source: CNN)
Texas ransomware update: Half of affected agencies are still not back up and running. Texas authorities have admitted that at least 10 of the 20+ local agencies have still not recovered from the ransomware attack, which took place on August 16. (Source: Associated Press)
Google confirms vulnerability of calendar app to phishing attacks. After a spate of news stories noting that a security vulnerability could impact the 1.5 billion users of its calendar app, Google confirmed it. “When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their messages to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it,” writes @happygeek. “Those links can lead to a fake online poll or questionnaire with a financial incentive to participate and where bank account or credit card details can be collected.” (Source: Forbes)
Bolton’s departure leaves murky cyber legacy for Trump Administration. Earlier this week, John Bolton made a dramatic exit from the Trump Administration. Bolton’s cyber legacy as the national security advisor will likely be mixed; on one hand Bolton was something of a cyber hawk, repeatedly warning “U.S. adversaries that the Trump administration would use its cyber warriors to punish them for jeopardizing American interests.” And yet, on the other hand, he undermined U.S. ability to respond to cyber threats by “eliminating the White House cybersecurity coordinator position and downgrading the rank of the homeland security adviser, who supervised the coordinator and oversaw all cyber policy matters.” (Source: Morning Cybersecurity)
Breach du jour: Hundreds of millions of phone numbers linked to Facebook accounts. @zachwhittaker reports that “the exposed server contained more than 419 million records. ... But, because the server wasn’t protected with a password, anyone could find and access the database. Each record contained a user’s unique Facebook ID and the phone number listed on the account.” Facebook’s latest cyber incident places its users at risk of spam calls and SIM-swapping attacks.” Source: Tech Crunch)
Perspective: Why is Mitch McConnell blocking all election security bills? One former Obama official speculated to @Joseph_Marks_ that Leader McConnell could be “concerned about the political fallout for Republican senators, several of whom have supported and even co-sponsored election security bills in the past. ‘It would put Republican senators in an awkward spot of having to vote against election security or vote for it and potentially anger Trump or anger some of his base if he were to tweet how bad the bill is.’” (Source: Washington Post)
Google agrees to pay $170 million to settle allegations that it illegally collected children’s data. The settlement comes after Google “bragged to toy makers such as Mattel and Hasbro about its popularity among children. In one boast cited by regulators, YouTube claimed to be watched by 93 percent of ‘tweens.” @washingtonpost reports that the fine amounts “to less than two days’ worth of profits for the tech giant.” (Source: Washington Post)
REMINDER: Multi–factor authentication still blocks 99.9 percent of all automated attacks. (Source: ZD Net)
IRS identity theft enforcement actions plummet by more than 75 percent. A new audit from the Treasury Inspector General for Tax Administration found that the IRS opened a mere 75 identity theft cases in 2017 compared with 263 in 2013. @DerekDoesTech reports that “the Criminal Investigations Division has been squeezed over the past decade, losing more than 380 special agents (15% of the division’s total workforce)[.]” (Source: FCW)
Your state’s DMV could be selling your personal information to private investigators. @josephfcox found that departments of motor vehicles in states across the country are selling the personal data of their customers to private investigation firms, sometimes for as little as one cent per record. Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, commented that “[t]he selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking. … For survivors, their safety may depend on their ability to keep this type of information private.” (Source: Motherboard)
National Consumers League
Published September 12, 2019
The #DataInsecurity Digest | Issue 100
/byMassive biometric data breach raises concerns for long-term data security
By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Subscribe here. Tell us what you think.
Editor’s note: Researchers have discovered fingerprints, facial recognition data and passwords were inadvertently leaked by a British security firm, compromising some of the most sensitive data for more than a million consumers.
In other news: at least 20 Texas municipalities are battling a ransomware attack; the porn accounts of 1.2 million users have been compromised; and around 10 million dating app users’ geolocation data have been leaked.
Finally, a big “huzzah” to the entire #DataInsecurity Digest team for our 100th issue! Special kudos to NCL staffers Carol McKay, Taun Sterling, and Brian Young for making yours truly look good every other week! And, of course, thanks to all of our loyal readers for making the Digest a success! If you like this email, share it widely and encourage your friends and colleagues to subscribe!
And now, on to the clips!
—————–
Millions of pieces of biometric data leaked. This massive breach includes the “fingerprints of over 1 million individuals, face recognition information, unencrypted names and passwords, and other personal info.” @techreview comments that “the data leak strikes at the heart of one of the big fears and criticisms about the increasing use of biometrics: You can change your username and password with a couple of clicks. Your face is forever.” (Source: MIT Technology Review)
At least 20 municipalities in Texas suffered a ransomware attack. Government officials would not release the names of the entities affected by the breach “for security reasons.” (Source: The Hill)
Breach du jour: 1.2 million pornography accounts. The adult content sharing site Lucious exposed the personal information of nearly 1.2 million of its users. Of the breach victims, “many users joined Luscious using their government email addresses,” which inflicts “a great deal of additional vulnerability,” to the breach victims. (Source: IT Pro)
Breach du jour part deux: Tens of thousands of MoviePass customer credit cards. “Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.” (Source: Tech Crunch)
Smart ovens are turning themselves on. While the smart oven company, June, blames this fire hazard on “user error,” the company “is planning an update that’ll hopefully remedy the situation and prevent it from happening again, but that change isn’t coming until next month.” (Source: The Verge)
Suggested reading: How much damage could a hacker do with just a victim’s phone number? (Source: New York Times)
Cyber threats against financial institutions increased by 56 percent in the last 12 months. Researchers “found more than 8.9 million security events in a 12-month period. Brand abuse and manipulation was the most common threat, with more than 250,000 events. Ninety percent of these were name impersonations, often not easily detected due to disguising tactics.” (Source: Dark Reading)
Grindr, Romeo, Recon, and 3fun expose users’ exact location. Together, the four dating apps boast around 10 million users. The breach of location data has the potential to increase discrimination. @alexlomas comments that, “aside from exposing yourself to stalkers, exes and crime, de-anonymizing individuals can lead to serious ramifications. … In the UK, members of the BDSM community have lost their jobs if they happen to work in ‘sensitive’ professions like being doctors, teachers, or social workers. Being outed as a member of the LGBT+ community could also lead to you losing your job in one of many states in the USA that have no employment protection for employees’ sexuality.” (Source: Threat Post)
National Consumers League
Published August 29, 2019
The #DataInsecurity Digest | Issue 99
/byMillions of Intel processors, Boeing 787 planes, and WhatsApp all found to have major cyber vulnerabilities
By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Subscribe here. Tell us what you think.
Editor’s note: Cyber researchers were busy this week as new vulnerabilities were found in WhatsApp, Boeing 787s and millions of newer Intel processers. In other news, after the Federal Trade Commission (FTC) announced their settlement with Equifax, they are weathering a publicity fiasco after an ‘unexpected’ number of breach victims began filing for compensation and worries grew that the fund was not large enough to pay out to everyone at the promised amount.
And now, on to the clips!
—————–
Millions of newer Intel microprocessors vulnerable to hackers. @zpring reports that Intel microprocessors manufactured after 2012 “are vulnerable to a new type of side-channel attack dubbed SWAPGS.” SWAPGS is like the previously announced Spectre and Meltdown vulnerabilities and “could allow a hacker to gain access to sensitive data such as passwords and encryption keys on consumer and enterprise PCs.” This newly discovered vulnerability “bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown.” (Source: Threat Post)
Cybersecurity vulnerability discovered in Boeing 787. The vulnerability could allow “a multistage attack that starts in the plane’s in-flight entertainment system and extends to highly protected, safety-critical systems like flight controls and sensors.” While Boeing flatly denies the existence of the vulnerability researchers say the “flaws uncovered in the 787’s code” represent a “troubling lack of attention to cybersecurity…” (Source: Wired)
Vulnerability in WhatsApp allows hackers to edit messages. Researchers have “discovered ways in which a malicious actor could alter messages in WhatsApp, “essentially putting words in [someone’s] mouth.” The vulnerability also “allows [hackers to] change the identity of the sender of content in a group chat.” Security researcher @Od3dV commented that “a malicious actor would not have to crack Facebook’s end-to-end encryption in order to do this… the process was ‘not so complex to perform.’” The security vulnerability has not been fixed and remains an issue. (Source: Financial Times)
‘Historic’ Equifax settlement may provide less relief than promised. Initially, victims were given the choice of free credit monitoring or a $125 settlement check. But, due to the limited funds, Equifax agreed to provide the fund and the “unexpected” demand on the settlement check option, the FTC is now cautioning “that if everyone eligible requests the money over the monitoring, your benefit will be nowhere near $125.” (Source: CNET)
Facebook fails to stop class-action lawsuit over biometric data collection practices. Class members alleged that the social media giant “secretly amassed the world’s largest privately held database of consumer biometric data,” without their knowledge or consent. Facebook argues that victims were free to opt-out at any time. (Source: Bloomberg)
In wake of Capital One breach, congressional scrutiny focuses on Amazon. In a letter to Amazon, the company that managed the cloud service responsible for the Capital One breach, Senator Ron Wyden (D-OR) argued that, “[w]hen a major corporation loses data on a hundred million Americans because of a configuration error, attention naturally focuses on that corporation’s cybersecurity practices… However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.” (Source: Wall Street Journal)
Suggested reading: The Capital one breach autopsy
Breach du jour: Stock X. The online clothing marketplace appears to be the latest retailer to suffer a data breach. @zackwhittaker reports that customer names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information such as shoe size and trading currency,” were compromised. (Source: TechCrunch)
National Consumers League
Published August 15, 2019
The #DataInsecurity Digest | Issue 98
/bySettlement with Equifax, Capital One hack put spotlight back on financial breaches
By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Subscribe here. Tell us what you think.
Editor’s note: This week Capital One announced a massive breach affecting 100 million accounts. The full details of the breach are not yet known, but we know that at least 140,000 Social Security numbers and 80,000 bank account numbers have been compromised. Meanwhile, regulators continued to strike back against the seemingly endless string of data breaches when they announced a settlement for the Equifax breach, which will provide consumers with either free credit monitoring or access to a settlement fund.
And now, on to the clips!
—————–
Breach du jour: 100 million Capital One accounts and credit applications. Investigators believe that the breach has compromised “140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information[.]” (Source: CNN)
Hackers take aim at schools. Data rich, yet financially strapped, educational institutions make for a tempting target for hackers. Unfortunately, “it may be a while before schools’ defenses are able to catch up with the abilities of the hackers who target them,” commented George Washington University’s Eva Vincze. “Most school systems, especially in small communities, do not have the resources to keep up with each generation of threats that bad actors come up with[.]” (Source: New York Times)
String of laboratory data breaches grows to 22+ million accounts. Clinical Pathology Laboratories joins the list of laboratories affected by a breach at payment processor American Medical Collection Agency. “LabCorp was first hit with 7.7 million patients affected, then 11.9 million Quest Diagnostics patients were next. BioReference Laboratories pushed the breach over the 20 million mark.” (Source: TechCrunch)
Equifax reaches $575-$700 million settlement with FTC. Last week, in addition to agreeing to reimburse victims for time and expenses incurred because of the breach, Equifax also agreed to provide four years of credit monitoring and identity protection from the three major credit bureaus. “After those four years, Equifax is offering six extra years of credit monitoring. If consumers in the class action already have credit monitoring, they can be paid $125.” (Source: Market Watch)
Quick reminder: ‘Deidentified data’ can easily be reidentified. (Source: New York Times)
Facebook’s record-breaking $5 billion fine: FTC wanted more. @tonyromm reports that the Federal Trade Commission attempted to fine “Facebook not just $5 billion, but tens of billions of dollars, and imposing more direct liability for the company’s chief executive, Mark Zuckerberg. Facebook, however, fiercely resisted…” and with a revenue of $55 billion, which amounts to “200 times the budget afforded to the federal regulators, [the FTC] settled for less.” (Source: Washington Post)
Suggested reading: One data breach forced a victim to change their name and move their family to a new home. (Source: ZD Net)
As demand for cyber insurance increases, insurance agencies getting cold feet. @jeffstone500 reports that “despite all the demand… insurers are now re-thinking whether it’s in their best interest to keep offering the plans that help clients recover from devastating cyberattacks… it’s just difficult to gather the information necessary to build the mathematical models that determine how to assign risk.” (Source: Cyber Scoop)
National Consumers League
Published August 1, 2019
The #DataInsecurity Digest | Issue 97
/byRegulators strike back as new data puts cost of breaches at $45 billion annually
By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud
Subscribe here. Tell us what you think.
Editor’s note: Corporations were put on notice this week as both EU and U.S. regulators imposed record–setting fines. While UK regulators assessed fines against both British Airways and Marriott, the Federal Trade Commission (FTC) reportedly voted to levee a massive $5 billion fine against Facebook. Only time will tell if the regulators’ actions will spur companies to take meaningful steps to curtail data breaches, which the Internet Society estimated inflicted over $45 billion in losses in 2018 alone.
And now, on to the clips!
—————–
FTC reportedly approves massive $5 billion fine against Facebook. The fine is not only the largest ever levied “against a tech company that broke a past promise to the government to improve its privacy practices” but it is “more than 200 times greater than the previous largest fine.” (Source: Washington Post)
ICE officials search state driver’s license databases without citizens’ knowledge or consent. In at least three states, Immigration and Customs Enforcement (ICE) officials have “requested to comb through state repositories of license photos,” using facial recognition. At least two states, Utah and Vermont, complied. (Source: New York Times)
House Energy and Commerce Committee look toward Fall 2019 for release of privacy bill. Aides for the committee identified two major sticking points for the bill. The first being state preemption and the second “lies in whether or not the bill should give consumers the right to sue companies for data breaches. ...” One of the aides said that “although his office expects the language [a private right of action] to be included in the bill, it could upset moderate Democrats involved in the discussions.” (Source: Morning Consult)
UK regulators propose fining British Airways $230 million. The fine comes in response to the airline’s 2018 data breach, which compromised about a half-million passenger records. The fine “represents the latest and by far biggest penalty initiated by national-privacy regulators across the European Union since the enactment last year of [GDPR].” (Source: Wall Street Journal)
UK regulators fine Marriott $123 million. Marriott’s costly fine was in response to a data breach the company suffered last year affecting around 383 million guests, 30 million of whom resided in the EU. “The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott ‘failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.’” (Source: Tech Crunch)
Lake City, FL hit with ransomware attack. The city’s misfortune is another in a growing trend of ransomware attacks on local governments. “Experts on cybersecurity say the growing number of attacks and escalating ransom demands suggest that cyberattacks have found a ripe target: small governments with weak computer protections and strong insurance policies. The [ransom] payments keep coming even as the F.B.I. says they might be incentivizing more attacks.” In the case of Lake City, Florida, many of its files remain locked even after paying the hefty ransom. (Source: New York Times)
Google admits to listening to smart device recordings. An investigative report found “many recordings that had been captured inadvertently, without users activating their devices.” Google “emphasized that … audio recordings are not tagged to users’ accounts in Google’s review system.” However, despite Google’s claim, journalists were “able to link some audio snippets to the users who were captured on the recordings because they included sensitive, identifiable information.” (Source: The Hill)
In 2018, there were more than 2 million cyber incidents. The report put out by the Internet Society’s Online Trust Alliance also estimated that the incidents inflicted at least $45 billion in losses. The organization predicted that its numbers were on the low side because “it is still the case that most incidents go unreported.” (Source: The Internet Society)
National Consumers League
Published July 18, 2019
NCL health policy updates | Health Advisory Council Newsletter | 2019 Q2
/byNCL health policy at work
ICYMI: Fifth Annual Spring Membership Meeting
On June 20, NCL hosted the Fifth Annual Spring Membership Meeting of its Health Advisory Council. In light of the ongoing measles outbreak, NCL devoted this meeting to effective vaccine policies to ensure herd immunity. The meeting featured a panel of experts engaged in the issues surrounding immunization.
Panelists included Health Reporter Lena Sun, from the Washington Post; Dr. Melinda Wharton from the Centers for Disease Control and Prevention (CDC); Kim Nelson, founder of South Carolina Parents for Vaccines; and DC-based pediatrician and immunology expert, Dr. Linda Fu of Children’s National Hospital.
The panelists talked about the anti-vaccine and vaccine hesitancy movement and the record number of measles cases in the US, the largest since 1992. Panelists pointed out key differences between vaccine-hesitant and anti-vaccine sentiments and discussed strategies for framing the issue for vaccine-hesitant parents.
Click here for a summary of the panelists’ remarks.
Script Your Future Medication Adherence Team Challenge
In May, NCL concluded the eighth annual Script Your Future Medication Adherence Team Challenge. From January 21 through March 22, inter-professional teams—including student pharmacists, doctors, nurses, and others—implemented outreach activities in their communities to raise awareness and improve understanding about medication adherence, using Script Your Future materials. This year’s winners were Pacific University (OR) and the University of Pittsburgh (PA). Since the Challenge began in 2011, more than 18,800 future health care professionals have directly counseled nearly 78,000 patients and reached more than 26 million consumers about the importance of medication adherence. To read the official press release announcing the winning teams, please click here.
Vaccine advocacy
NCL is a strong supporter of vaccines as extremely safe and effective and has been actively engaged this quarter in educating consumers about the importance of vaccines in protecting themselves, their families, and their communities. NCL issued a statement supporting measures taken by the New York state legislature in eliminating religious exemptions for vaccines. NCL emphasized that non-medical related vaccine exemptions put young children and immunocompromised individuals, who are unable to get vaccinated, at risk for contracting dangerous illnesses
Following the Spring Health Advisory Council Meeting, NCL’s Executive Director Sally Greenberg testified at the June 2019 Advisory Committee on Immunization Practices (ACIP) meeting. Greenberg’s testimony amplified pro-vaccine voices and urged the Committee to maintain its recommendation for the pneumococcal vaccine, PCV13, for adults ages 65+. Greenberg emphasized the critical role that a positive recommendation of this vaccine would have for Medicare coverage, and in turn, its effect on access and implementation among vulnerable populations.
Counterfeit drugs and importation
NCL continues to have a strong focus on counterfeit drugs. On April 22 and April 26, NCL issued statements on drug importation legislation introduced in Florida and Oregon. NCL expressed concern that these bills would open the U.S. market to a flood of counterfeit and substandard drugs, putting patient health and safety at risk. Rather than considering misguided importation proposals, NCL encouraged Congress to strengthen our drug supply chain and pursue other strategies to ensure the affordability and accessibility of safe and effective prescription drugs.
Counterfeit drugs consumer education campaign
NCL’s Health, Fraud, and Communications teams are currently in the process of reviewing content for the Counterfeit Drugs Consumer Education Campaign. We anticipate launching the campaign in the fall of 2019. Please contact Nissa Shaffi at nissas@nclnet.org for information about how your organization can join this resource-rich platform to educate consumers on making smart decisions.
Surprise billing
On May 17, NCL’s Health Policy and Programs Associate, Nissa Shaffi, participated in a Capitol Hill briefing on surprise billing or out-of-network balanced billing, sponsored by America’s Health Insurance Plans (AHIP). The briefing featured a panel of experts from the Brookings Institute, the American Federation of State, County and Municipal Employees, and the American Benefits Council.
NCL provided insight into the consumer perspective regarding surprise billing, urging a multi-stakeholder solution to the growing issue. We urge Congress to act and protect patients from outrageously expensive bills, that have caused consumers to make difficult choices between seeking medical treatment and food or housing.
Reproductive rights
In May, NCL released a statement objecting to bills in six states banning or curtailing the right to abortion thru various means. NCL strongly opposes the proposed measures, as they will undoubtedly endanger women’s lives by restricting their ability to make safe and informed decisions about their bodies. NCL advocates that women should have the right to choose their own reproductive choices in consultation with their healthcare providers.
Health Advisory Council Newsletter | 2019 Q2 | Member Q&A
/byPresident and CEO
America’s Health Insurance Plans (AHIP)
Q. What is your role at AHIP?
A. As president and CEO of America’s Health Insurance Plans, I partner with our industry’s leaders to fulfill our shared mission and vision for health care in America. Together, health insurance providers are working to expand access to affordable healthcare coverage to all Americans, through a competitive market that fosters choice, quality, and innovation.
Q. In 100 words or less, what do you think Council members should know about AHIP?
A. AHIP is the national association whose members provide coverage and health‐related services. We serve as a strong, unified voice for an industry that is leading the way in transforming health care for patients and consumers. Our advocacy is centered around improving health care by delivering better health, better affordability, and better financial security for every American. When patients have more choice and control, people can get the care they need when they need it, at a price they can afford.
Q. Please tell us about some of AHIP’s current initiatives.
We have several priorities and initiatives that we’re really excited about. First, we are calling for an end to surprise medical bills – because patients should be protected, particularly when they’re at their most vulnerable. Second, we are working hard to bring down drug prices for all Americans. Third, we are engaging with consumers to understand how we as an industry can deliver greater value for them, making health care more affordable, accessible, and easier to use.
One of our most exciting initiatives is the recent launch of Project Link – which delivers on a Board-level commitment to bring together the best thinking on how to affectively address social barriers to health and long-term well-being. We know a person’s health is influenced by many factors outside of health care, including the conditions in which they are born, grow, live, work, and age. Project Link brings together health insurance providers and potential partners to address issues from housing to health eating to transportation. It will establish clear, collective strategies and goals to ensure new programs to address social determinants of health are scalable, sustainable, and measurable in improving health and affordability for everyone.
Q. What is AHIP doing to change the way people think about and approach health care?
A. While healthcare works for hundreds of millions of Americans today, we know we can do better. And we all have a role to play. AHIP is collaborating with other healthcare leaders to identify and advocate for real solutions. We are committed to working together to improve what’s working and fix what’s not, until every consumer has affordable coverage, access to high-quality care, and control over their health care choices.
We want people to understand that health insurance providers are their advocate, negotiating with doctors, hospitals, and drug makers for lower prices for them. We are working with doctors, nurses and hospitals to break down barriers to good care, so that people get the care they need, when they need it, without hassle. We are a vocal supporter of comprehensive coverage that covers pre-existing conditions, preventive care, and management of chronic health conditions. Because when you do better, we all do better. And American families get the peace of mind that comes with knowing that they’re getting the care they need at a cost they can afford.
Q. What do you hope to get out of your engagement with the Health Advisory Council and other fellow members?
A. The Health Advisory Council includes many leading organizations that share our commitment to improving health care. Through our participation in the Council, we hope to find more opportunities to work together for real solutions that improve affordability, choice, and value for patients and consumers. From removing barriers that make it hard for people to find coverage that works for them. To helping people get educated on how to maintain their best health. To helping them understand their options for getting the care they need. To helping them get the healthcare information they need, when they need it, in a form that’s meaningful for them. When we work together to find real solutions to the challenges that touch people where they live, work, and play, we truly help people get healthier faster – and stay healthier longer.