Health insurer Excellus BlueCross BlueShield disclosed that they suffered a large data breach, which could have compromised 10 million customer records. The hackers were able to gain access to information like customer names, mailing addresses, birth dates, Social Security numbers, financial data, and medical claims information. Most of the affected customers live in upstate New York, and Excellus is headquartered in Rochester. The company does not exactly know how far-reaching the damage is. Excellus does not know if subscriber data was removed from the company’s systems. So far, there is no evidence that the stolen data has been used fraudulently.
The Healthcare industry continues to be the nation’s ID theft punching bag, walking around town with a giant red target on its back. Need some proof? Leave it to The Identity Theft Resource Center (ITRC) weekly report to come to the party with a big bucket of red paint. According to its’ August 11, 2015 report, the Medical/Healthcare industry accounts for a whopping 78% of the data records breached so far this year. In real numbers that means of the 140,000 records breached, Medical/Healthcare is the not-so-proud owner of 110,000 of those records.
In a recent Reuters article, medical data was called “cybercriminals’ holy grail.” It has been a target of hackers for years—ZDnet anticipated the growth of health data as a target of thieves three years ago. It has only gotten worse since and no less an authority than the FBI has advised patients, doctors, healthcare administrators, and insurance and healthcare companies to take extraordinary pains to secure this valuable—and exceedingly personal—data.
As the healthcare industry continues to reel from the often constant barrage of cyber attacks, healthcare organizations must choose a solution that reduces information security risk and helps them meet HIPAA compliance requirements. Healthcare entities, regardless of size, need to perform their own “health check” as to the adequacy of their privacy and security posture of handling patient data (both IT and paper-based files).
Health insurance company CareFirst BlueCross BlueShield revealed that their customer data had been breached through a cyber attack. As many as 1.1 million customers and former customers were affected by the breach, which occurred last year in June. The company only discovered the breach in May when they decided to increase their cyber security after the breaches at Anthem Health Insurance and Premera Blue Cross. According to security experts, CareFirst’s databases were targeted by skilled cyber criminals who have targeted other health insurance companies in the past.
Yet another health insurance company has been targeted by hackers. Approximately 11 billion customers at Premera Blue Cross, a health insurance company based out of Seattle, were the victims of a cyber breach. Hackers were able to access a broad range of confidential customer information, including Social Security numbers, addresses, banking account numbers, and member identification numbers. Credit card information remains safe, since Premera does not store any of that information on their databases. However, hackers were able to access claims data, including sensitive clinical information, which is what worries most customers. This is the largest cyber breach where patient information was accessed.
The second largest health insurance company in the country, Anthem Inc., has just reported that its database has been hacked. Cybercriminals were able to access identifying information from current and former customers. In a public statement, CEO Joseph Swedish said that the data the hackers stole includes names, birthdays, Social Security numbers, street and email addresses, and medical IDs. Also included in the data leak is employment information and income. Medical information like claims, test results, and diagnostic codes were not targeted or compromised. Credit card information has not been compromised. Anthem has not seen any of the compromised information up for sale online. Just like the Sony Pictures Hack from last December, employee information has been compromised. Swedish said that he is among the victims in this hack, as his information has been accessed.
Anthem and its affiliates cover one in nine Americans, so this data breach could be the largest hack a health insurance company has experienced. Unfortunately, the insurance company does not know exactly which customers were hacked, or how many. Hackers were able to access 80 million records, and Anthem has 69 million customers across 14 states. Anthem’s affiliates include Empire Blue Cross and Blue Shield, Unicare, and Healthlink, among others. The insurance company is working with the FBI and conducting an Extensive IT Forensic investigation to determine which customers were affected. Affected customers will be offered identity and credit monitoring services.
The company found out about the breach last week, but chose to disclose the breach this week after trading closed. Anthem’s quick disclosure of the breach demonstrates a change in how companies respond to breaches. In 2014, companies waited until investigations were underway and almost completed to reveal a breach to the public. JP Morgan reported their breach weeks after the bank learned of the issue, and also said that only contact information was stolen. Federal law says that companies have 60 days to report a cyber breach, but CIO Thomas Miller said the company wanted to disclose the breach as soon as possible. Miller has not been able to figure out how the hackers were able to access a database containing so much confidential information, but he has determined that the breach is external. According to Miller, the hackers are sophisticated and used customized methods to gain entry into Anthem’s networks. The FBI’s investigation into this cyber breach is still underway.
The healthcare industry is a rising target for hackers who want to steal and sell confidential data on the black market. In 2014, Community Health Systems Inc. experienced a cyber breach where 4.5 million records were accessed by Chinese hackers. External threats to the healthcare industry indicate that healthcare providers and insurance companies need to focus on increasing their cybersecurity measures. EiQ’s SOCVue security monitoring solution helps prevent unauthorized access to protected health information, and improves HIPAA compliance. SOCVue’s 24/7 security monitoring service is critical for healthcare IT infrastructure. Continuous assessment of security controls is important for the healthcare industry, as this can reduce the risk of a data breach, and keep patient and customer data safe.
Community Health Systems announced Aug. 18 that hackers had breached its health care network of 206 facilities and stolen sensitive information on approximately 4.5 million patients. The compromise and subsequent data loss is part of a general trend in the sector. The health care industry has given short shrift to IT security, spending less on protecting its systems and data than most, if not all other industries, as measured as a percentage of the overall IT budget. And data from firms that track threat intelligence shows that signs of breaches are rampant in the health care industry.
A recent cyber attack on Community Health Systems hospitals has breached the data of 4.5 million people, reported The Ledger. According to Forbes, the stolen data did not involve any medical records. Instead, the data leak included “patient names, addresses, birth dates, telephone and social security numbers,” said Forbes. Community Health Systems is offering identity theft protection services to affected patients, although they do not believe this data will be used, said WKBN.
Community Health Systems reported the cyber attack to the public in an SEC filing on Monday, but the attack could have occurred in April and June, said The Ledger. According to Reuters, the attack may have originated in China, by a sophisticated hacking group called “APT 18.”
The Kansas City Star reports that a security breach was discovered in “an online scheduling application used two years ago to register more than 4,000 Children’s Mercy Hospital employees and spouses for a wellness program” provided by StayWell Health Management. Staywell spokeswoman Melissa Gilkerson said in a statement that the company believed affected individuals are not at risk for identity theft.
Forbes noted that medical device manufacturers have been targeted by cyber criminals, and “once inside a network, criminals often take whatever they can find.” SF Gate reported that Medtronic, Boston Scientific, and St. Jude Medical have all been hacked in the past.
Healthcare facilities are now especially concerned about patient privacy breaches because of HIPAA, which defines the legal policies for protecting patient records, and outlines the penalties for violations. The legal ramifications a healthcare facility can experience due to a cyber breach are high. Therefore, healthcare companies should make sure their patient records are secure. CNET published an article that says hackers could use general data like names and addresses to verify identities, or to see what else they can hack into.