The Healthcare System's Weak Protection for Patient Identity
This week, we learned healthcare hackers have claimed 10 million more victims – this time, by breaking into the network of New York health insurance giant Excellus BlueCross BlueShield.
According to Reuters, the hack occurred in December of 2013 but the company did not notice the breach until August 5, 2015. "Unfortunately, these crimes often go undetected by the companies until it is way too late to protect victims,” said Jeff Bell, CEO of LegalShield, a privately-held company that has provided legal protection to millions of people for over 40 years and identity theft protection for 15 years. LegalShield offers ID Theft services to the general public via IDShield. “We’ve seen time and again it is impossible to fully protect or prevent hacks and breaches. The key is to quickly and efficiently restore those taken identities,” Bell said.
Since credit card companies and banks have made great strides in strengthening their security systems and enhancing protections for credit cards, hackers have turned their sites to more vulnerable and lucrative targets: the nation’s less optimally guarded healthcare institutions.
Two other recent hacks include Anthem Inc., the nation’s number two insurance provider that had 80 million patient records compromised, and Community Health Systems, which had 4.5 million records exposed by hackers. “This is why many security experts have dubbed 2015 ‘The Year of the Healthcare Hack,’ says Bell. A survey of health providers published last year by the Ponemon Institute, a privacy, and data research firm, reveals that roughly 90 percent of health care organizations have experienced a data breach in the past two years. Some were caused by employee mistakes or glitches with computer systems while others were criminals.
Why Are Hackers Targeting Healthcare Institutions?
- Financial gain.
Sometimes they seek to steal account information that links to databases containing banking and credit card information; other times they go after patient records only. Anthem Inc. reports their financial databases were unaffected. One security expert told The New York Times the stolen information gets auctioned off on the black market. While credit card numbers are typically sold for around $3.50, one patient medical record recently brought $251. Credit card data is easily destroyed and regenerated. Not so with personal medical records, which contain a trove of information.
- Medical benefits.
A growing number of hackers sell insurance company identification cards to people seeking free medical or dental procedures. Although doctor’s offices and surgery centers require photo identification along with an insurance card, most hacker rings have no trouble generating one. The legitimate insurance cardholder typically does not discover the theft until the insurance company mails the Explanation of Benefits and copay bill days or weeks after the procedure.
- Traditional identity theft.
Hackers can use medical and financial information to build new identities for customers who wish to apply for passports or visas and travel the world anonymously.
Some hackers may be interested in connecting procedure codes to patient ID numbers, and then on to real names and Social Security Numbers, to gather sensitive health information. Anthem Inc. reports its hackers absconded with names, birthdates, Social Security Numbers, and email addresses, as well as work and income data, prompting security experts to wonder if blackmailing high-profile government officials or business leaders with embarrassing or sensitive health information was the goal.
Identifying the Hackers
In the coming days and months, investigators will draw conclusions about whether these hacks were the brainchild of a hacking gang or a foreign government. Until then, consumers should take the appropriate steps to protect themselves and their families. Learn more about how an IDShield membership can help you protect yourself and your family.