Health care is a treasure trove for criminals looking to steal reams of personal information, as the hacking of a database maintained by the second-largest U.S. health insurer proves.
The latest breach at health insurer Anthem Inc. follows a year in which more than 10 million people were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.
Health care hacking is becoming more of a focus as retailers and other businesses have clamped down on security after massive breaches at companies like Target and Home Depot. That has made it more difficult in some cases for cyber thieves to infiltrate their systems. As a result, they’ve turned their attention toward health care.
Experts say health care companies can provide many entry points into their systems for crooks to steal data. And once criminals get that information, they can pull off far more extensive and lucrative schemes.
“If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,” said Tony Anscombe, a security expert with the cybersecurity firm AVG Technologies. “With medical records and a social security number, it’s not so simple.”
Criminals who obtain stolen Social Security or health insurance account numbers have shown more sophistication than the average credit-card fraudster, according to Pam Dixon, executive director of the World Privacy Forum, a consumer advocacy group.
Rather than use the information right away, she said some crooks will sit on Social Security or health insurance files for a year or more before using them to create new identities and apply for benefits.
“What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent” about monitoring their own accounts for fraud, she said.
Health records also command a much higher price than credit card accounts on the online black markets where hackers buy and sell stolen information, said Al Pascual, director of fraud and security at Javelin Strategy & Research, a financial industry research firm.
He estimated in an interview last fall that an individual’s medical records might fetch as much as $50, while credit card account information may only be worth $5.
“A health record has everything – financial account information, Social Security number, health information,” he said. “That makes all the records stored at your health provider and insurer incredibly valuable.”
Medical records can be used to extort people, with the hacker demanding money to prevent the sensitive release of information. They also can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.
“That’s the kind of sophistication we have in cybercrime,” said Mark Bower, a vice president with the cybersecurity firm Voltage Security. “We have networks of criminals who can use this data whenever its available based on their skill set.”
Hackers can also find, in some health “care companies, security practices that are not as mature as they are in other industries, Bower said. Clinics, labs, doctors’ offices, insurers and hospitals all offer different entry points for hackers to attack. That mix of systems can come with great variation in security quality.