Health care offers attractive growth opportunities for cyber criminals looking to steal reams of personal information, as the hacking of a database maintained by the second-largest U.S. health insurer proves.
The latest breach at health insurer Anthem Inc. follows a year in which more than 10 million people were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.
Anthem said late Wednesday that hackers broke into a database storing information on 80 million people in an attack the company discovered last week. The Blue Cross Blue Shield insurer said the hackers gained access to names, birthdates, email addresses, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had
coverage in the past.
The insurer, which covers more than 37 million people, said credit card information wasn’t compromised, and it has yet to find any evidence that medical information was targeted. Anthem Inc. doesn’t know how many people were affected by the attack, but a spokeswoman said that number was probably in the “tens of millions.”
Health care hacking is becoming more of a focus as retailers and other businesses have clamped down on security after massive breaches at companies like Target and Home Depot. That has made it more difficult in some cases for cyber thieves to infiltrate their systems. As a result, they’ve turned their attention toward health care.
Experts say health care companies can provide many entry points into their systems for crooks to steal data. And once criminals get that information, they can pull off far more extensive and lucrative schemes.
“If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,” said Tony Anscomb, a security expert with the cyber-security firm AVG Technologies. “With medical records and a social security number, it’s not so simple.”
The impact could be far-reaching. The hackers may have simply been probing the Anthem’s defenses with plans to plant malware that steals information or to come back with a much larger attack, said Eran Barak, CEO of another cybersecurity firm, Hexadite.
Other experts caution that the hackers may have indeed made off with medical information, and that has not been discovered yet.
Criminals who obtain stolen Social Security or health insurance account numbers have shown more sophistication than the average credit-card fraudster, according to Pam Dixon, executive director of the World Privacy Forum, a consumer advocacy group.
Rather than use the information right away, she said some crooks will sit on Social Security or health insurance files for a year or more before using them to create new identities and apply for benefits.
“What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent” about monitoring their own accounts for fraud, she said.
Health records also command a much higher price than credit card accounts on the online black markets where hackers buy and sell stolen information, said Al Pascual, director of fraud and security at Javelin Strategy & Research, a financial industry research firm.
He estimated in an interview last fall that an individual’s medical records might fetch as much as $50, while credit card account information may only be worth $5.
“A health record has everything - financial account information, Social Security number, health information,” he said. “That makes all the records stored at your health provider and insurer incredibly valuable.”
Medical records can be used to extort people, with the hacker demanding money to prevent the sensitive release of information. They also can be sold to criminals who could construct billing and insurance scams involving fake medical centers or target patients for phone scams.
“That’s the kind of sophistication we have in cybercrime,” said Mark Bower, a vice president with the cybersecurity firm Voltage Security. “We have networks of criminals who can use this data whenever its available based on their skill set.”
Hackers can also find, in some health care companies, security practices that are not as mature as they are in other industries, Bower said. Clinics, labs, doctors’ offices, insurers and hospitals all offer different entry points for hackers to attack, and that mix of systems can come with great variation in security quality.
For its part, Anthem said hackers executed a “very sophisticated” attack on its system, and it contacted the FBI and made “every effort” to close the security vulnerability once it discovered it.
Company spokeswoman Kristin Binns said the data accessed was not encrypted, but that would not have thwarted this attack because the hacker also had a system administrator’s ID and password. She said the company normally encrypts data that it exports.
The federal government also is investigating whether the personal information of Medicare and Medicaid beneficiaries was stolen. Those government programs are a major business for Anthem.
AMY PASCAL STEPS DOWN AS CO-CHAIRMAN OF SONY PICTURES
LOS ANGELES — Amy Pascal will step down as co-chairman of Sony Pictures Entertainment and head of the film studio, nearly three months after a massive hack hit the company and revealed embarrassing emails.
Pascal, one of the most powerful women in Hollywood and the force behind such critical and commercial hits as “The Social Network” and “American Hustle,” will launch a major new production venture at the studio focused on movies, television and theater, Sony Pictures said Thursday. Her career with Sony has spanned nearly 20 years.
During the hack, Pascal came under fire for racist remarks about President Obama’s presumed choice in movies that surfaced in leaked emails. She apologized for “insensitive and inappropriate” comments in her emails that she called “not an accurate reflection of who I am.” Pascal also faced criticism for green-lighting the film that may have inspired the hacking to begin with: “The Interview,” which starred Seth Rogen and James Franco as bumbling journalists tasked with killing North Korean leader Kim Jong Un.
Pascal will transition to the new venture in May. Sony Pictures will finance Pascal under a four-year contract and retain all distribution rights worldwide to funded films. The venture will be located at the Sony Pictures lot in Culver City, California.
“The studio’s legacy is due in large part to Amy’s passion for storytelling and love of this industry. I am delighted that Amy will be continuing her association with SPE through this new venture, which capitalizes on her extraordinary talents,” said Sony Entertainment CEO Michael Lynton in a statement. “In recent months, SPE faced some unprecedented challenges, and I am grateful for Amy’s resilience and grace during this period.”