Health insurance company Anthem announced on February 4th that it had suffered what appears to be the largest breach ever in the health insurance industry, affecting about 80 million people.
Once the dust had settled slightly, The New York Times carried a good article on the breach. Anthem, one of the country’s largest health insurers, said the hackers did not appear to have stolen information about its customers’ medical claims. But medical identification numbers were taken, along with Social Security numbers, addresses and e-mail addresses, which could be used for medical fraud.
Medical identify theft is growing because it pays. In black-market auctions, complete patient medical records tend to fetch higher prices than credit card numbers. One security expert said that at one auction a patient medical record sold for $251, while credit card records were selling for 33 cents.
Signs continue to point to China as the source of the attack, but it is unknown whether this is a state-sponsored attack or simply cybercriminals.
Patient medical records typically include information not easily destroyed, including date of birth, Social Security numbers and even physical characteristics that make them more useful for things like identity theft, creation of visas or insurance fraud by fraudulently billing for expensive medical or dental procedures that were either never performed or performed on someone else. Some criminals have also tried a form of ransomware in which they threaten to reveal medical information unless they are paid. Creative SOBs, these hackers.
About 90 percent of health care organizations reported they had at least one data breach over the last two years, according to a survey from the Ponemon Institute, a privacy and data protection research firm. The founder, Larry Ponemon, a security expert, says most were because of employee negligence or system flaws, but a growing number are malicious or criminal.
And, if history holds true, having successfully breached one insurer, the attackers will try to breach others. Because that, apparently, is where the money is.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology