DATA PRIVACY WEEK NEWSLETTER   |  January 27 - 31, 2025

Data Privacy and PII

When you go to the bank or visit the doctor, you must provide them with personal information. Things like your name, birthday, and ID number. This information is valuable because it allows for the key to your identity. If a criminal got hold of this data, they could use it to hack into your accounts, impersonate you, or steal from you. That’s why you want the companies you work with to keep your personal data safe.

But if your job involves handling other people’s personal data, then it’s your responsibility to handle it with the same strict privacy you expect for your data. That’s why it’s essential to understand what Personally Identifiable Information is and how to keep it secure.

What is PII?

Personally Identifiable Information (PII) is any information that can be used to identify you, either on its own or combined with other data. PII includes things you might expect, like your full name, email address, credit card number, and passport information.

It also includes biometric data, such as your fingerprints. But PII can also include information you might not expect—things like gender, religion, ethnicity, and political beliefs.

Even if the information is publicly available (such as the name of your employer), it’s still considered PII and needs to be handled securely. Privacy laws, such as the General Data Protection Regulation (GDPR) and the Public Deposit Protection Act (PDPA), outline what data is considered PII and establish penalties for privacy violations.

Protecting PII

Personal information must be protected and handled securely at every stage of its life cycle. That includes when the data is at rest, when it’s in transit, and when the data is in use.

• Data at rest: When data is at rest, it’s essential to use encrypted storage devices and cloud accounts. Access to the data should be restricted to only those who need it.
• Data in transit: When data is in transit, PII should be encrypted and sent only to authorized individuals.
• Data in use: When PII is in use, employees should only access data they need to perform their duties. They should not attempt to view any PII beyond their proper access level. Employees should refrain from discussing or sharing any PII with unauthorized people.

PII is the key to identity. When you handle PII as part of your job, it’s your responsibility to keep other people’s data secure. Local privacy laws may vary, so follow your organization’s policies and procedures. By carefully handling the data you are entrusted with, you protect yourself, your customers, and your organization.

Stolen PII — The Change Healthcare attack

In February 2024, the ransomware group ALPHV BlackCat targeted Change Healthcare, a branch of UnitedHealth Group and one of the world's largest healthcare payment processors. Due to the absence of multi-factor authentication, they accessed the company's systems with a single password. Over the next nine days, they quietly spread through the network, stealing data.

Then, they paralyzed the company with a ransomware attack. Change Healthcare paid ALPHV BlackCat at least $22 million in Bitcoin, but the attackers retained a large amount of stolen personal data, including names, addresses, and Social Security numbers.

Unfortunately, cyberattacks are now part of life. To hackers and criminals, even our healthcare data is just another commodity to be sold.

But by taking precautions and practicing good cyber hygiene, you can help protect yourself.