Why hackers want your health care data most of all

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/article/2983634/security/why-hackers-want-your-health-care-data-breaches-most-of-all.html

Excellus Blue Cross Blue Shield is the latest health care company to
discover a data breach, but it likely won't be the last as attackers
increasingly focus on the wealth of data buried inside health records.

Excellus discovered the breach on Aug. 5 and began notifying affected
individuals earlier this week. Attackers may have gained access to personal
information for as many as 10 million individuals, including name, date of
birth, Social Security number, mailing address, telephone number, member
identification number, financial account information, and claims
information. The number of affected individuals include members of other
Blue Cross Blue Shield plans who sought treatment at a facility located in
the Excellus service area.

Retailers and banks tend to be popular cyber crime targets, but criminals
understand that stealing health care records can be as valuable, if not
more.

Financial data has a finite lifespan because it becomes worthless the
second the customer detects the fraud and cancels the card or account. Most
forums for such data have a high enough surplus of stolen payment cards
that they have fire sales.

But information contained in health care records has a much longer shelf
life and is rich enough for identity theft. Social Security numbers can't
easily be cancelled, and medical and prescription records are permanent.
There's also a large market for health insurance fraud and abuse, which may
be more lucrative than simply selling the records outright in forums.

So far, Excellus said it had not seen evidence of the exposed information
being misused. Also, no one knows at this point how many of the stolen
records from previous health care breaches made it to the black market.

The FBI said recently criminals can sell health care information for as
much as $50 a record. For the attackers who targeted Excellus, that's
easily $500 million worth of information they have on hand, if they chose
merely to sell them on the black market. The Anthem breach, discovered in
February, was even bigger, affecting 78 million people.

Health care breaches aren't typically discovered through black market sales
the way retail breaches were last year, because criminals monetize health
care data in a different way than they cash in on financial data. Most
forums selling health care data tend to be more specialized than the
carding forums where payment card information is sold. Stolen health care
data forums operate more like drug cartels, where health records are not
sold outright, but rather used to buy and sell addictive prescriptions,
said Angel Grant, senior manager for antifraud solutions at RSA.

"Health insurance credentials are especially valuable in today's economy
because health care costs are causing people to seek free medical care with
these credentials," Grant said.

Many experts believe the health care breaches are not the work of typical
cyber crime gangs but of state-sponsored, well-funded groups. The Community
Health hack, the first big health care breach, is widely believed to be the
work of a Chinese espionage group. While attribution is extremely
difficult, substantial "below the surface" noise links state-sponsored
groups with other health care breaches, said Eric Cowperthwaite, ‎a vice
president of advanced security and strategy at Core Security. He was
"quietly warned about nation state interest in health care" back in 2012,
when he was CISO of Providence Health & Services.

It makes sense that governments would be interested in getting their hands
on this data because it can be useful for building dossiers that reflect a
deeper understanding of the target population. Medical and insurance
records provide insights about where people live, what medical treatments
they had, who their family members are, and who they work for.

Moreover, if the health care data stolen from these breaches was ever
combined with the data stolen from the Office of Personnel Management, "it
would be the Holy Grail of electronic data on almost all people with
government clearances," Cowperthwaite said.

While retailers dominated data breach headlines last year, this year is all
about health care companies -- with a twist. Many of this year's breached
health care providers were actually compromised back in 2014, or in the
case of Excellus, as far back as December 2013. It's quite likely more
breach disclosures are ahead as organizations start taking a second look at
their networks. Excellus only discovered the compromise because it asked
for a network assessment after seeing reports of data breaches at other
Blue Cross Blue Shield providers. Otherwise, it's quite possible the breach
could have remained undetected longer.

"Health care, payers and providers both, are simply not prepared for the
level of bad guy they are now facing," Cowperthwaite said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!