Data Breach at Anthem May Lead to Others

By Reed Abelson and Julie Creswell, The New York Times | Updated: 7 February 2015 13:20 IST

After an online attack on Anthem, by far the largest breach in the industry, security experts warned Friday that more attacks on health care organizations were likely because of the high value of the data on the black market.

Anthem, one of the country's largest health insurers, said the hackers did not appear to have stolen information about its customers' medical claims. But medical identification numbers were taken, along with Social Security numbers, addresses and email addresses, which could be used for medical fraud.

According to a federal database, many much smaller attacks across the country have included both medical records and financial information.

Medical identity theft has become a booming business, according to security experts, who warn that other health care companies are likely to be targeted as a result of the hackers' success in penetrating Anthem's computer systems. Hackers often try one company to test their methods before moving on to others, and criminals are becoming increasingly creative in their use of medical information, experts say.

"The industry has become, over the last three years, a much bigger target," said Daniel Nutkis, chief executive of the Health Information Trust Alliance, an industry group that works with health care organizations to improve their data security.

The publicity surrounding the breach, which exposed information on about 80 million people, is already generating phishing email scams, in which criminals posing as legitimate businesses try to persuade people to sign up for bogus credit protection services and provide personal information about themselves.

On Friday, Anthem sent out an alert to its customers warning them of the scam, which the company described as an "opportunistic" attempt to take advantage of news of the breach, but the company emphasized it had no evidence that the scam artists were the hackers.

The company, which operates under a series of Blue Cross plans in states like California, Connecticut and New York, is working with federal investigators to determine the source of the attack. Some signs continued to point to China, which has previously been thought to target health care companies, although the investigation is still in its early stages.

If Chinese hackers are responsible, it raises an immediate and hard-to-answer question: Are they acting on behalf of the government? Or are they independent actors, seeking to sell the information they have obtained?

The difference is a big one. The United States has indicted five members of a People's Liberation Army unit that is thought to be responsible for stealing intellectual property, usually designs from U.S. and European companies. But the group is not known for stealing large amounts of personal information.

The key is the hackers' motive. While they could be preparing to sell the information on the black market, they may also be searching for intelligence on government officials or senior executives who mask their personal information, but tend to provide real names and real numbers when dealing with health-related matters.

"The question is whether this is about espionage or theft," said one government official who was briefed on the investigation.

As a rich source of personal information, health care organizations - like hospitals, doctors' offices and insurers - are increasingly going to be vulnerable to attacks, according to security experts. "Anthem is not the last of these organizations," said Cameron Camp, a researcher for ESET, which specializes in data security. "We're going to see that style of attack again."

Medical identify theft is on the rise, experts say, because it pays. In black-market auctions, complete patient medical records tend to fetch higher prices than credit card numbers. One security expert said that at one auction, a patient medical record sold for $251, while credit card records were selling for 33 cents.

After the large data breaches at major retailers like Target and Home Depot, the black market for credit cards has been flooded. And after the bank becomes aware of the theft, those cards are usually canceled quickly.

In contrast, patient medical records typically include information not easily destroyed, including date of birth, Social Security numbers and even physical characteristics that make them more useful for things like identity theft, creation of visas or insurance fraud by falsely billing for expensive medical or dental procedures that were either never done or performed on someone else. Some criminals have also tried a form of so-called ransom ware in which they threaten to reveal medical information unless they are paid.

"The whole thing is evolving," said Barbara Filkins, an analyst with the SANS Institute, which has studied the risk to the health care sector.

Hospital systems, for example, are increasingly asking for photo IDs and driver's licenses in an effort to block patients who have stolen someone else's medical identity, said John Barlament, a lawyer at Quarles & Brady in Milwaukee. The use of medical identity fraud is growing, he said. "It's a one-way trend here," he said.

The push to digitize patient health records in hospitals and doctors' offices has also made medical records increasingly vulnerable, according to security experts. Moving medical records from paper to electronic form allows both patients and providers better access, but it has also made patient records susceptible to breaches, whether unintentionally or through a criminal attack.

About 90 percent of health care organizations reported they have had at least one data breach over the last two years, according to a survey of health care providers published last year by the Ponemon Institute, a privacy and data protection research firm. The founder, Larry Ponemon, a security expert, says most were because of employee negligence or system flaws, but a growing number are malicious or criminal.

Last year, 18 health care providers reported data breaches because of some form of hacking. Information at Centura Health was compromised last year after a phishing scheme obtained access to employee email accounts. The data included, in some instances, Social Security numbers, Medicare beneficiary numbers and clinical information for 12,000 patients of the facility, based in Englewood, Colorado. In another case, a keystroke logger virus that infected three computers for a few weeks early last year at the student health center at the University of California, Irvine, may have captured patient's health and dental insurance numbers and diagnoses.

Health care providers have sharply increased their spending on data security in the last year, but they remain technologically far behind other industries, say experts.

"When we go to a health care show and you look at the screens of different systems, it's like we're looking at Windows XP," said Bob Janacek, a co-founder and chief technology officer of DataMotion, an email encryption and health information service provider. "But you go to a banking show and they're talking about how to slice a billionth of a second off a transaction to get a competitive edge, it's just totally different."

In the new electronic records world, security experts say the risks of a data breach are found on many fronts. For instance, there are systems and protocols that allow for patient medical records to be encrypted and emailed from one provider to another, but some doctors are sending clinical records through personal email accounts using their own smartphones or tablets.

The Anthem breach has become the subject of intense regulatory scrutiny. Several state attorneys general are also conducting their own investigations or considering doing so, including George Jepsen, the Connecticut attorney general.

The National Association of Insurance Commissioners, a group of state insurance regulators, said it planned a multistate examination of the insurer. "We are in agreement that an immediate and comprehensive review of the company's security must be a priority to ensure protection of consumers who are covered by Anthem," said Monica Lindeen, the association president and the Montana insurance regulator, in a statement.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.