Twenty years ago, Ironwall by Incogni CEO Ron Zayas addressed the National Association of Attorneys General about how the internet had compromised the personally identifiable information (PII) of nearly every American – and why that is so dangerous.
If that warning was heard it certainly wasn’t heeded. Today the evolution of social media and artificial intelligence have drastically exacerbated the accessibility and weaponization of personal information. The killing of UnitedHealthcare CEO Brian Thompson has shaken healthcare organization C-Suites across the country, forcing leaders to ask themselves who knows where they live and where they’ll be at any given time. And the same PII that puts executives in danger fuels the phishing and ransomware attacks that exposed more than 2.3 million healthcare records in data breaches through just the first six months of 2025.
Zayas explains how we got here, and what can be done to safeguard organizations and their personnel.
-
Protecting personal information has been a crusade of yours for a long time.
Information is the currency of the realm, and privacy is like freedom: you either have it or you don’t.
-
Why is it so much worse now than it was 20 years ago?
In addition to the failure to pass the kind of privacy legislation that has made a real difference in Europe, the U.S. has become a place where it is now socially acceptable to attack somebody’s family or somebody’s home because of a grievance against a doctor or a healthcare organization. A person feels empowered to say, “I may not be able to change their policies, but if I kill their executive, somebody will pay attention.” And they have the tools to do that. One person’s anger can now also be shared through social media, something that was not possible 20 years ago. When somebody has a bad outcome – “a doctor botched my surgery” – and they post it online, other people see themselves in that. We saw how, when Brian Thompson was killed, there were many who shared the grievance of the alleged killer.
-
How cognizant are healthcare organizations of this danger?
It’s getting better but it’s not where it should be. Most organizations, and the people who work there, don’t understand that receiving a threat at home or getting a phishing email that looks real and personalized could be a direct result of the free discount they got from a supermarket loyalty program, because they gave out their address. They don’t see the entity between them and that supermarket, which is a data broker that buys your information and then sells it or trades it very cheaply to other individuals who can weaponize it.
Also, most people feel safe at their workplaces, which are typically fortified with security personnel and cameras and other safeguards. They don’t recognize that someone determined to act on a violent threat is going to come after them at home. They’re going to come for their families.
-
Is data removal even possible, given the volume of information now accessible about all of us on thousands of websites?
If it weren’t possible, data brokers, social media platforms and advertising companies wouldn’t spend hundreds of millions of dollars trying to stop legislation like California has to protect privacy, or like the EU did with GDPR. We know it can be done. Ironwall protects more than 400,000 people and removes 1.5 million pieces of personal information every week. You won’t find our clients’ addresses online.
Unlike the Brian Thompson assassin, most of those who feel aggrieved enough to attack someone will do everything they can to get away with it, and they need information to do that. We shut down that supply. We provide tools that mask cell phone numbers and email addresses, and in our Executive Protection program we provide high-level law enforcement support, especially when an active threat has been reported.
-
How does data removal also lower the risk of a ransomware attack?
Your employees will not be as careful as your IT department when it comes to online security. About 70% of data breaches over the last three years didn’t come from attacking the servers. They came from hackers going after individuals, compromising their devices and working their way into an organization. Someone gets an email that appears authentic because it appears to have been sent by a friend or relative, and they’re more likely to click on a link in that email, and that’s all it takes to give a hacker the access they need.
Hackers are smart but they’re lazy. If they look at two companies and one has thousands of pieces of information easily accessible, and another doesn’t have enough to leverage, they’ll go with the easier target every time.
-
Is it possible to safeguard a hospital or an organization with hundreds or thousands of workers? To secure all their personal devices?
We’ve seen how CEOs and CIOs have started to understand that they can’t leave this huge vector open and say there’s nothing I can do about it. You can’t have a safe organization if the people who work for you aren’t safe. We’re never going to tell them and their spouses what they can do on their personal devices. But if we educate them on privacy and provide protection for them in a way that’s easy and will lower the amount of robocalls and scams and phishing emails, they’ll realize it’s not just a benefit to their employer, it can save them from headaches like identify theft.
-
Privacy protection has become a business with several different providers. Do they all provide the same service?
Not at all. We’ve been doing this for more than a decade. We remove content anywhere it can be located with a search engine – other companies tend to only focus on people finder websites. That’s not enough.
-
What are three steps healthcare executives and organizations can take right now to reduce the risk of threats that emanate from PII?
First, understand your vulnerability. Don’t put your head in the sand. Do an assessment. Or let us do it for you at no cost. How protected are your key personnel and executives? If somebody can quickly find their personal mobile number online in less than five minutes, they can find where they live. As soon as you start removing information, you become less of a target. We can also do risk assessments. We’ll show you where their information is and how it can be weaponized against them. If you don’t even know the threat level against your executives, you’re running blind.
Second, do not give our information. The preventative tools we provide help with that. You’re not going to stop using the internet, but using a VPN will encrypt your information and make it harder for people to steal it. Using a VoIP number hides your cell number. Using alias emails protects your email address. These tools generate fake data that will eventually start to replace the identifying information that’s out there.
Finally, get protection. You want to make your executives and all your personnel into hardened targets. at work as well as at home. If you have the budget, great. Pay it. If you don’t, make it an employee benefit through the organization. When we’ve offered this as a paycheck deduction, at a significantly reduced rate off retail, we typically see as many as 20% of employees quickly sign up. Providing privacy protection sends a great message to your team and also helps with executive recruitment and personnel retention.
