Lessons from the Eye Doctor: Protecting Your Identity
September 2, 2015
By Greg Wasson, End Point Security Program Manager

Earlier this month, I stopped in to my optometrist’s office for a routine appointment. The office is small, situated in a building that’s a bit removed from the main road. As with many of my previous eye appointments, I sat down with the person at the counter so she could pull up my prescription information on the computer and review my insurance benefits for the final pricing.  Apparently a password was required to access this information, which the woman behind the counter helping me didn’t have. She called across the room to the other clerk for the updated password and was told the password was already in the computer system. She continued to discuss the password out loud with her colleague, and even turned to me and said, “Redacted1, whoever came up with Redacted1?” She gave me, a stranger for all intents and purposes, the password that provides access to sensitive customer insurance information.

Once logged into the system the next step was to pull up my specific insurance information to see my benefits. She found my records and then asked me for my social security number so she could access my information. A general rule, I try not to provide my social security number if there is another method of verifying my identity. In this case, that other method was my insurance ID number, which they already had. After seeing the complete disregard for password security, I was even more sure that I would not be providing my social security number! Ultimately, she was able to get what she needed without it.

Lessons Learned

I was very much taken aback by the lack of regard for computer security in that office.  Combining health insurance information with lax computer security is the holy grail of identity theft, not to mention HIPAA violations.

This is a reminder of how important it is to train end users on why security is vital. Often, if someone does not realize the value of the information on their computer, they aren’t as concerned with breaches. However, a compromised computer could be used for many purposes like sending spam, keeping stolen information, or attacking other computers. When you add access to large amounts of personally identifiable information the target computer becomes all that much more valuable.

All users with access to medical information, personally identifiable information, or financial information should be well-informed and trained as to why protecting this data is of the utmost importance. As Verizon outlined in the 2015 Data Breach Investigations Report, simple human error is often a key factor in data breaches. Without the agreement and understanding of end-users, other methods of securing information are greatly undermined.  

Furthermore, this is a great example of when you should be stingy about sharing your social security number. Very often, there is an alternative way to provide identification, and the social security number is just an easy fall back for whoever is asking. By guarding that number, you protect yourself against those who may misuse it without even realizing it.

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.