data breach

We can add another breached company to the ever-growing list: the Municipal Bond Insurance Association (MBIA). While not necessarily unique from other breaches we’ve seen lately, the MBIA incident brought another aspect of breach fallout into the public eye, and that’s the potential for data exposures to go viral. These viral breaches generate tendrils of compromised information that reach far and wide, creating a nightmare for containment—and public relations.

Known as the largest bond insurer in the country, MBIA services accounts for many government investment pools. In late September, the company was alerted by an ethical hacker that hundreds of pages of customer data were showing up online for all to see. We’ve since learned that one of the company’s database servers had been improperly configured, resulting in the exposure of highly sensitive data. Account numbers were compromised along with customers’ names, account balances and other confidential information. But the damage didn’t stop there. Not only was MBIA’s customer data floating around the Internet for all to see, it also had been indexed by several search engines. Information that should have been heavily protected was now on the Web in multiple locations, far outside the control of MBIA.

The release of customer data wasn’t the only problem. High-level security keys were also exposed and indexed, including administrative credentials and instructions for creating new deposit accounts. Not only were cybercriminals given a nearly perfect tutorial to dig into additional data held by MBIA that hadn’t been compromised in the first go-round, the instructions also provided a way for thieves to quietly pull funds out of the compromised accounts. The integrity of MBIA’s systems had been damaged far beyond a simple data breach.

Piling on to the organization’s woes were two failures of their own making. One is that their Oracle server is commonly known to need careful configuration to avoid a potential security gap. Oracle has even provided documentation to help administrators configure it correctly and ensure the servers are secure. The other was that MBIA was actually notified of the exposure more than a week before the company finally cut off access to the compromised server. Not only was the company behind the curve in configuring its critical infrastructure correctly, it then delayed in fixing a problem that was brought to its attention.

In many respects, MBIA’s breach wasn’t all that different from other breaches. Network vulnerabilities are common avenues for hackers, and security warnings have been known to be overlooked. Target’s massive 2013 breach and similar recent exposures back this up.

Unfortunately for MBIA, these factors all came together in a perfect storm that resulted in a truly viral breach. Sensitive customer data was compromised and unspeakably valuable credentials and account creation instructions were also exposed. The indexing of that information on more than one major search engine spread the leaked data far and wide. Containment and mitigation became exponentially more difficult.

There is some reasonably good news in all of this. At this time, it doesn’t appear any of MBIA’s clients were defrauded as a result of the breach—yet. There are also important lessons we can learn from MBIA’s mistakes. Network assets must be carefully administered, as their security is one of the first lines of defense against criminals. In addition, security warnings—whether they’re provided by ethical hackers, concerned customers or automated intrusion detection systems—must be immediately checked out.

We have the tools to thwart thieves. Now is the time to use them.

{ 1 comment }

One of the most common weapons in the cybercriminal’s arsenal is the DDoS attack. According to the network security experts at Digital Attack Map, “A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.”

While many have heard of these attacks or suffered from the outages they cause, most people do not understand the true business risks these incidents pose. To get a better picture of the threat, Internet security firm Incapsula surveyed 270 firms across the U.S. and Canada about their experiences with DDoS attacks. On average, they found, 49% of DDoS attacks last between 6 and 24 hours. “This means that, with an estimated cost of $40,000 per hour, the average DDoS cost can be assessed at about $500,000—with some running significantly higher,” the company reported. “Costs are not limited to the IT group; they also have a large impact on units such as security and risk management, customer service, and sales.”

Check out the infographic below for more of Incapsula’s findings on the actual costs of DDoS attacks:


Winter is suddenly upon us. In Buffalo, New York, four deaths have been attributed to a winter storm that dumped up to six feet of snow. The storm was blamed for three more deaths in New Hampshire and Michigan. Whether commuting to work, driving a long-haul truck or overseeing a fleet of vehicles, winter presents business hazards. To stay safe and on the road during inclement weather, experts advise keeping vehicles in top condition with frequent safety checks. The National Highway Traffic Safety Administration reports that “failure to keep in proper lane or running off the road” and “driving too fast for conditions” are the two of the most frequent driver behaviors causing accidents.

For safe winter driving, the NHTSA urges drivers to:

• Check your battery

• Check your cooling system

• Fill your windshield washer reservoir

• Check windshield wipers and defrosters

• Check floor mat installation to prevent pedal interference

• Inspect your tires

• Check the age of your tires

• Stay vigilant while driving

Long-haul truckers have special concerns. ShiftintowinterBC urges drivers to be on the lookout for black ice. Ice buildup on windshield wipers is a sign that conditions are favorable for black ice. Drivers should also slow down when approaching shaded areas, overpasses and bridges—portions of the road that freeze sooner than others. The organization recommends dropping speeds to match conditions, leaving more distance from the vehicle in front and pulling off the road if driving conditions become too extreme.

To avoid potentially dangerous situations, the Insurance Information Institute (I.I.I.) offers these winter driving tips:

  • Give yourself enough time to arrive at your destination. Trips can take longer during winter than other times of the year, especially if you encounter storm conditions or icy roads.
  • Bring a cellphone so that those awaiting your arrival can get in touch with you, or you can notify them, if you are running late. But avoid the temptation of using the phone while driving, as it can be a dangerous distraction—pull over first.
  • Drive slowly because accelerating, stopping and turning all take longer on snow-covered roads.
  • Leave more distance than usual between your vehicle and the one just ahead of you, giving yourself at least 10 seconds to come to a complete stop. Cars and motorcycles usually need at least 3 seconds to halt completely even when traveling on dry pavement.
  • Be careful when driving over bridges, as well as roadways rarely exposed to sunlight—they are often icy when other areas are not.
  • Avoid sudden stops and quick direction changes.
  • Be sure to keep your gas tank full. Stormy weather or traffic delays may force you to change routes or turn back. A fuller gas tank also averts the potential freezing of your car’s gas-line.
  • Keep windshield and windows clear. Drivers in cold-weather states should have a snow brush or scraper in their vehicle at all times. Your car’s defroster can be supplemented by wiping the windows with a clean cloth to improve visibility.
  • Do not activate your cruise control when driving on a slippery surface.
  • Do not warm up a vehicle in an enclosed area, such as a garage.
  • Keep your tires properly inflated and remember that good tread on your tires is essential to safe winter driving.
  • Check your exhaust pipe to make sure it is clear. A blocked pipe could cause a leakage of carbon monoxide gas into your car when the engine is running.
  • Monitor the weather conditions at your destination before beginning your trip. If conditions look as though they are going to be too hazardous, just stay home.



Here’s a provocative question for all the risk managers out there: what did you pay last year in workers compensation medical bill review charges?

Stumped? The answer may be more elusive, and more expensive, than it would initially appear.

Medical bill review is an essential service typically performed by an insurer, claims administrator, or outside vendor. The service provider reviews medical bills related to claims and audits the bills for accuracy, duplication of charges, and reasonableness. The costs for these services are allocated claim expenses, meaning they get charged directly to the claim file. This makes figuring out what you’re paying more difficult, as bill review charges tend to blend in with other expenses and bills.

Bill review charges are typically calculated in two ways. First, for each bill, there is a standard review charge. This could be a flat rate or calculated by the number of lines. Second, for bills that are outside of medical provider networks and are negotiated, a percentage of the savings are charged.

This last piece is critical, because it means that charges for a single bill review can be thousands and sometimes even tens of thousands of dollars.

Here’s an example. Suppose an employee injures his back and is forced to have surgery, but does so at an out-of-network facility. The hospital bills $200,000, an amount it has no illusions of receiving. As part of the medical bill review process, the bill is negotiated down to $50,000, netting a savings of $150,000. The charge for the bill review is a percentage of the savings, typically between 20-30%. If we assume conservatively that the rate is 20%, in this example, the charge for the bill review service would be $30,000. For self-insureds and those with large retentions, this a cost paid directly out of pocket.

This example highlights two important facts. The first is that network penetration is of prime importance—when a patient is treated at an in-network facility, the bill is generally reduced to the pre-negotiated rate at no cost to you. Second, the medical billing process in this country has created an immensely profitable enterprise for skilled medical bill reviewers.

This is not to say that paying a percentage of negotiated savings is unfavorable to a risk manager. This system aligns the interests of the bill reviewer and the party paying the bill. The more the bill reviewer can lower a bill, the more you save, even if you are ceding a percentage of that savings to claim handling expenses. And to be fair, the above scenario is more of an anomaly than the norm—in most cases both the savings and fees are much lower.

Still, the entire medical billing strategy employed by hospitals is rather discomforting. In what other industry are bills sent out and routinely negotiated down by 50, 60, or even 75%? Certainly, there are financial motives for hospitals, many of which are owned by private equity firms, to bill higher amounts than they ever expect to receive. Not only will the unsuspecting recipient occasionally unwittingly pay the full amount, higher bills allow hospitals increased write-offs for charity care and other unpaid services. And while fee schedules in some states have attempted to address this problem, this has further contributed to hospitals and insurers, each employing competing billing experts with the respective goals of maximizing and minimizing amounts paid for the same services. The net result is higher processing expenses for everyone.

Accepting the fact that the medical billing system in this country is the way it is, let’s return to the $30,000 medical bill review charge. As risk managers, we need to continuously be concerned with our expenses. At the same time, these fees represent only a percentage of savings, and theoretically, the higher the bill review charge, the higher the savings. But the knowledge of that fact may not be enough to eliminate the sticker shock. Because medical bill review services are so essential, the only recourse is a better negotiation of fees—paying a lower percentage of savings is a good start, and a hard cap on the maximum charge for a single bill is even better. Of course, the first step is sitting down with the data and figuring out how much you’re actually paying.

That way, when someone asks you the question about how much you’re paying, you’ll not only have the answer, you’ll also have a plan to make it less.