Security experts say the breach shows the importance of PII security, as a number of recent healthcare industry breaches have exposed millions of patients’ PII, which could later be used in other atttacks.

“The information that was used to bypass the security screen [is] all components of data that have recently been compromised in health insurance data breaches,” Ken Westin, senior security analyst for Tripwire, Inc. said. “Unfortunately, the high number of large scale data breaches has essentially transformed our personal information into public information. And this data should not be used as security or authentication checks.”

Anthem was breached earlier this year, exposing 80 million customers’ personal info. Another 11 million were exposed in the recently disclosed Premera breach. The data used to bypass authentication in this breach was likely a byproduct of a previous breach, and security professionals seem to agree that it was likely information stolen from the health sector.

“Health records now are becoming even more valuable to criminals [than financial data],” said Hormazd Romer, director of product marketing at Accellion, a mobile file sharing firm based in Palo Alto, Calif. “Having your credit card information stolen is inconvenient and will cause you to have to get new credit card information, but you can’t change your health records. That information has become very valuable for this very reason.”

Criticism of the IRS’ handling of the situation, however, focused on the fact the agency’s authentication systems were easy to bypass, and this allowed cybercriminals to obtain even more PII. The IRS, critics claim, should have had better authentication systems in place that rely on more than just static health information.

Vanita Pandey, senior director of strategy and product marketing at ThreatMetrix, a security vendor based in San Jose, Calif., explained that the IRS breach would have a lasting effect.

“A data breach or hack such as the one that has targeted the IRS is like an oil spill — it has an immediate impact on the environment and a lasting impact of ‘digital debris,'” Pandey said. “Following such a hack, businesses have to then monitor and look at constant data and use that data to their advantage to ensure stolen identities are not used by cybercriminals.”

Only the “Get Transcript” service was affected by this breach, according to the IRS. Core taxpayer accounts or other applications like “Where’s My Refund” were not affected. But that doesn’t mean that they won’t be in the future, according to security experts.

“The underlying weakness in the IRS and other government website portals is they rely on knowledge-based authentication,” said Brad Taylor, president and CEO of managed security provider Proficio of Carlsbad, Calif. “The answers to questions like, ‘what is your address and SSN#’ can be purchased from cyber crime sites or just researched on the Internet. The IRS needs to add more context to their challenge questions and monitor attempted access for suspicious behavior like multiple sign-ups from the same IP address.”

For now, the IRS is working on patching its security and minding the vulnerability of victims.

“The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation,” according to an official statement on the IRS website. “The IRS will be working aggressively to protect affected taxpayers and strengthen our protocols even further going forward.”