Health care is a treasure trove for criminals looking to steal reams of personal information, as the hacking of a database maintained by the second-largest U.S. health insurer proves.
The latest breach at health insurer Anthem Inc. follows a year in which more than 10 million people were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.
Health care hacking is becoming more of a focus as retailers and other businesses have clamped down on security after massive breaches at companies like Target and Home Depot. That has made it more difficult in some cases for cyber thieves to infiltrate their systems. As a result, they’ve turned their attention toward health care.
Experts say health care companies can provide many entry points into their systems for crooks to steal data. And once criminals get that information, they can pull off far more extensive and lucrative schemes.
“If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,” said Tony Anscombe, a security expert with the cybersecurity firm AVG Technologies. “With medical records and a social security number, it’s not so simple.”
Anthem said late Wednesday that hackers broke into a database storing information on 80 million people in an attack the company discovered last week. The Blue Cross Blue Shield insurer said the hackers gained access to names, birthdates, email address, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had coverage in the past.
The insurer, which covers more than 37 million people, said credit card information wasn’t compromised, and it has yet to find any evidence that medical information was targeted. Anthem Inc. doesn’t know how many people were affected by the attack, but a spokeswoman said that number was probably in the “tens of millions.”
The attackers used custom malware that was designed to avoid detection by anti-virus programs, said David Damato, managing director of FireEye, a Silicon Valley cybersecurity firm and corporate parent of Mandiant, an emergency response group hired by Anthem to investigate the breach. Damato said groups with that ability are typically either sophisticated financial crime rings or hackers backed by “nation states,” such as a foreign government. When asked if the investigation is pointing in either direction, Damato said he couldn’t answer.
“We’re very early on in the investigation,” he said.
It appears the attack was aimed specifically at a database that contained financial and personal identifying information, but not records of medical treatment, said Damato. “It’s fairly evident the attacker was focused on this one source of data,” he said, adding that the hackers may have performed “some sort of reconnaissance” to find that database. While he did not elaborate, he said the attackers managed to evade “multiple layers of security” within Anthem’s computer systems.
The impact could be far-reaching. The hackers may have simply been probing Anthem’s defenses with plans to plant malware that steals information or to come back with a much larger attack, said Eran Barak, CEO of another cybersecurity firm, Hexadite.
Other experts caution that the hackers may have indeed made off with medical information, and that has not been discovered yet.
Criminals who obtain stolen Social Security or health insurance account numbers have shown more sophistication than the average credit-card fraudster, according to Pam Dixon, executive director of the World Privacy Forum, a consumer advocacy group.
Rather than use the information right away, she said some crooks will sit on Social Security or health insurance files for a year or more before using them to create new identities and apply for benefits.
“What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent” about monitoring their own accounts for fraud, she said.
Health records also command a much higher price than credit card accounts on the online black markets where hackers buy and sell stolen information, said Al Pascual, director of fraud and security at Javelin Strategy & Research, a financial industry research firm.
He estimated in an interview last fall that an individual’s medical records might fetch as much as $50, while credit card account information may only be worth $5.
“A health record has everything — financial account information, Social Security number, health information,” he said. “That makes all the records stored at your health provider and insurer incredibly valuable.”
Medical records can be used to extort people, with the hacker demanding money to prevent the sensitive release of information. They also can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.
“That’s the kind of sophistication we have in cybercrime,” said Mark Bower, a vice president with the cybersecurity firm Voltage Security. “We have networks of criminals who can use this data whenever its available based on their skill set.”
Hackers can also find, in some health care companies, security practices that are not as mature as they are in other industries, Bower said. Clinics, labs, doctors’ offices, insurers and hospitals all offer different entry points for hackers to attack. That mix of systems can come with great variation in security quality.
For its part, Anthem said hackers executed a “very sophisticated” attack on its system, and it contacted the FBI and made “every effort” to close the security vulnerability once it discovered it.
Company spokeswoman Kristin Binns said the data accessed was not encrypted, but that would not have thwarted this attack because the hacker also had a system administrator’s ID and password. She said the company normally encrypts data that it exports.
The federal government also is investigating whether the personal information of Medicare and Medicaid beneficiaries was stolen. Those government programs are a major business for Anthem.
Murphy reported from Indianapolis and Bailey reported from San Francisco. AP writers Ricardo Alonso-Zaldivar and Ted Bridis contributed from Washington, D.C.