Study: Health care industry worst at protecting consumer data, federal government is best

The federal government is best at protecting consumer data and the health care sector is the worst, according to a new study by the not-for-profit Internet Society's Online Trust Alliance.

The 10th annual Online Trust Audit and Honor Roll analyzed more than 1,200 consumer-facing websites to determine which industry values security and privacy the most.

Here's how the seven industries the Online Trust Alliance examined ranked:

• U.S. government—91% of audited U.S. federal government sites made the Honor Roll)
• consumer services (everything from social media to travel-booking websites to tax-prep services)—85%
• news and media—78%
• banks—73%
• internet retailers—65%
• internet service providers, carriers, hosters and e-mail providers—63%
• health care—57%

The health care companies examined include pharmacies, health insurers, hospital systems and genetic-testing businesses.

The Online Trust Alliance evaluated the websites based on how well they protected their e-mail, whether they encrypt sessions with their users and what they say in their privacy statements.

"What do you collect, what do you do with it and who do you share it with?," the group's technical director, Jeff Wilbur, said. "By far, the biggest tactic bad guys use is someone steals your credentials. E-mail represents a starting point of 90% of attacks."

The Online Trust Alliance's overall list of the most vigilant about protecting consumer data includes the Federal Emergency Management Agency, PayPal, the First National Bank of Omaha and DNA-testing company 23andMe. Ranked first on the list was Google Play.

USA TODAY is on the Online Trust Alliance's news and media industry's honor roll.

This year marked the first time the survey included the health care sector, but according to Wilbur, it's a vital industry. A person's private medical data could be used for everything from blackmail to insurance fraud.

"Hackers prize medical information to round out the profile of individual they already have information on," he said. "It makes it worth more when they sell it. It gets to the person more deeply."

But there's plenty of exposure all around, and with that, victims. For example, in March, the parent company of the Planet Hollywood and Buca di Beppo restaurant chains said diners' credit and debit card information may have been exposed and in December, the question-and-answer website Q&A site Quora said a data breach could have affected 100 million users.

David Holtzman has been ensnared in three data breaches—the 2015 U.S. Office of Personnel Management breach from his days as a federal-government employee, the 2017 Equifax breach after he'd applied for a home mortgage and the Marriott breach, the result of two decades as a hotel guest.

"I feel like I can't protect my funds and my identity. I'm very fearful of what this portends," said the 60-year-old health-information privacy attorney from Germantown, Maryland.

Holtzman has put credit freezes on his accounts, remains vigilant about monitoring day-to-day activity in his banking accounts and 401(k) and is careful about what he posts on social media.

"When I was a kid, your bank issued a passbook to you and no transaction could take place (without it)," he said. "In today's electronic business environment, as a consumer, the only way I can access my money and monitor my financial well-being is by conducting it through the internet—the same Internet that was used by hackers to steal my information."