Will 2015 be the “Year of the Health Care Hack”?

healthcare data securityReuters is reporting that some security experts are predicting that 2015 will be the “Year of the Health Care Hack.”

The year got off to a bad start, security wise, with the recent hack attack on Anthem, Inc., the number two health insurer in the US.

Anthem announced a huge breach of its database containing close to 80 million health records. Compromised data included names, birth dates, member IDs, addresses, phone numbers, email addresses, Social Security numbers, and employment information.

However, Anthem CEO Joseph Swedish said the company did not believe that credit card or personal medical information was taken.

According to the New York Times,

Experts said the information was vulnerable because Anthem did not take steps, like protecting the data in its computers though encryption, in the same way it protected medical information that was sent or shared outside of the database.

(Emphasis added.)

The hackers, who may have been Chinese, apparently used malware to get access to an Anthem employee’s login credential.

Why the delay?

Anthem was challenged by a number of state attorneys general for failing to follow up with consumers in the wake of the attack.

Swedish promised that Anthem would contact each of its customers whose data had been stolen and that it would provide free identity protection and credit monitoring services for them.

The hack attack on Anthem was revealed on February 4 and apparently occurred, or was discovered, on January 27. As of February 10, the date of the letter from the attorneys general, Anthem had apparently not fulfilled its promises to customers.

According to the letter, written on behalf of attorneys general from Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania, and Rhode Island, “few follow-up details have been made available, and none at all about how individuals can sign up for the protections Anthem will provide them.”

Connecticut Attorney General George Jepsen said that his office had been flooded with calls from Anthem customers concerned about the breach.

Anthem responded that it had “laid out a thoughtful plan” with an outside vendor and planned to communicate with its members “very soon.”

Gone Phishing?

In an ironic twist, cybercrime journalist Brian Krebs initially reported that scam artists were capitalizing on Anthem’s delay by unleashing phishing scams on Anthem customers, pretending to offer them free credit card protection services.

However, the apparent phishing scheme turned out to be part of a phishing education campaign by an unrelated company.

The attack on Anthem appears to be market-driven. In the past, says Reuters, hackers have focused on banks and retailers. (As Willie Sutton reportedly said when asked why he robbed banks, “because that’s where the money is.”)

Market Forces

However, as banks and retailers (finally!) increase data security, it’s become harder for criminal networks to use stolen credit card numbers. As a result, the black-market prices for stolen numbers have dropped to four or five dollars, making other kinds of data theft more popular.

Stolen healthcare information can be used to fraudulently obtain drug prescriptions and medical services and to commit identity theft and other scams.

An identity that includes a name, address, Social Security number, and medical identity can sell for $20-$50. That would make the value of the Anthem theft to the thieves potentially in the range of $160 million to $400 million.

When the Anthem CEO reported that they did not believe credit card or personal medical information had been compromised he was no doubt trying to play down the damage and reassure consumers. The only problem is theft of your identity is a MUCH bigger problem than theft of your credit card number. If your credit card information has been compromised it’s a minor hassle: cancel the card, get issued a new card, and as long as the loss was reported promptly your maximum liability is $50, and most of the time the credit card companies will absorb that.

Loss of your identification information – name, address, social security number, birthdate, etc., – can expose you to threats far greater than loss of a credit card. With your identity someone could conceivably steal your identity and take your life savings. They could get credit cards in your name and trash your credit rating and put you on the hook to prove that it was not you who owes those credit card debts. They can file fraudulent tax returns in your name, causing you problems with the IRS. They can truly make your life miserable. Anthem should provide all persons whose data was compromised with at least a year of free identity protection from a service such as LifeLock.

Several healthcare-related companies have reported increasing their investment in cyber security. That’s all very well, but the almost-daily high-profile hack attacks prove that the current “state of the art” isn’t nearly good enough.

Any healthcare company that isn’t protecting consumer data using encryption is clearly vulnerable, as he Anthem case demonstrates.

Based on what we know now, it appears that dynamic encryption of the log-in information used to perpetrate the Anthem attack could have prevented it.

Thus, what’s needed is a new industry standard for data security, based on dynamic encryption. To learn more, click here.

Tagged with: