The Change Healthcare/United Healthcare data breach is one of many examples of why “show me the harm” is the wrong conversation to have around data breaches in particular, and data privacy issues in general.
The breach happened in February, and according to United Healthcare the breach impacts a “substantial proportion of people in America.”
Despite a five month lapse between the breach occurring and United Healthcare notifying people, United Healthcare appears to lack a complete understanding of the impact and the scope of the breach.
Change said in its latest statement that it “cannot confirm exactly” what data was stolen about each individual, and that the information may vary from person to person.
The affected information includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, as well as government identity documents, such as Social Security numbers, driver licenses and passport numbers.
The data also includes medical records and health information, such as diagnoses, medications, test results, imaging and care and treatment plans, said Change. The hackers stole health insurance information, including plan and policy details, as well as billing, claims and payment information, which Change said includes financial and banking information.
The potential for abuse is enormous. When that abuse happens, it will likely not be traceable to this specific breach. Casuality is incredibly difficult to prove, and because United Healthcare spends a lot of money on lawyers, even ironclad proof would get muddied pretty quickly.
Because of this breach, every single United Health Care customer now has to live under the cloud of their personal information becoming public. They now need to confront the reality that private conversations and interactions with their health care provider could become public.
At every future appointment, every person now has to think: is what I’m discussing with my doctor, therapist, nurse, aide going to become public at some point?
That’s the harm. The real, rational concern about details that matter to us being indiscriminately shared, and that it can be triggered blindly, with no warning, due to the incompetence of the organization that was supposed to keep this information safe.
Of course, the way the tech industry defines harm, they claim that nothing has happened as a direct result of the breach, and therefore there is no proveable harm.
And that claim is, of course, completely divorced from how people live, and from basic human empathy.
So, when someone asks you, “what’s the harm?” – that can trigger a twofold response.
First: realize that the person or entity you are speaking with is approaching the issue using industry talking points. They might be doing this simply because they haven’t thought much about these issues, or because they have a pro-industry slant. It’s okay to give them some benefit of the doubt, which is not the same as a free pass.
Second: reframe the question to “what’s the need?” or “what about this would you want your mother/father/partner/sibling/child/friend to have to experience? How does this experience make their life better?”
Breaches are treated as technical and legal issues, but that misses the point. Breaches are intimately human concerns. A narrow frame focused on the need to prove harm works well for the industries that fail to protect our information, but it completely fails the humans impacted when their information is lost and/or stolen.
Image credit: nigel from vancouver, Canada, CC BY 2.0, via Wikimedia Commons
