Thales Blog

While Hackers Target Healthcare Records, Americans Still Show Concern Over Social Security Numbers

October 29, 2015

Tina Stewart Tina Stewart | VP, Global Market Strategy More About This Author >

HC data dangers unrocgnizedWhen you think major disasters, for most earthquakes, hurricanes, tornadoes and flooding come to mind. But the Travelers Consumer Risk Index, which gauges Americans’ perceived daily risk, found that consumers are more concerned about cybersecurity than their physical safety. According to the report, cyberthreats were only second to financial concerns as the biggest worries to US consumers – the same report found 1 in 4 consumers have been victim of a data breach or cyberattack.

ClickToTweet:    Only 11% of Americans Pick Medical Data loss as a top 3 Data breach risk

This past year has not been shy of breaches in the medical arena, we’ve seen:

  • Premera: On January 29, 2015, Premera discovered a breach that found medical and financial data belonging to as many as 11 million Premera customers. Now the company is facing 38 class action lawsuits after patients reported unexpected calls to verify personal information, false tax forms filed and packages delivered that were never ordered.
  • Anthem: On February 4, 2015, Anthem discovered that cybercriminals executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtain personal information. The cyberespionage group had enough resources to afford its own infrastructure, zero-day vulnerabilities and custom malware. Ultimately, the breach exposed personal records of 80 million individuals.
  • UCLA Health System: On July 17, UCLA Health System announced that hackers accessed part of the network that contained personal and medical information. The attack exposed information of about 4.5 million people. Compromised information included names, Social Security numbers, medical records, ID numbers and addresses. The stolen data was unencrypted.

However, despite breaches that have wrecked personal havoc, a survey we conducted alongside Wakefield revealed Americans are still more concerned about traditional data theft. The survey found that most Americans remain unaware of vulnerabilities, with only 11 percent reporting they were concerned about hackers gaining access to medical records.

Additional categories that Americans showed concerns around data access include:

Pulse 3 results

A recent report from the Medical Identity Fraud Alliance found that 65 percent of medical identity theft victims had to pay an average of $13,500 – Fees include paying the healthcare provider, repaying the insurer for services obtained by the thief or legal counsel to help resolve the incident and prevent future fraud).

Recovering from a healthcare breach is no small feat and for good reason; healthcare data has become one of the most desirable commodities for sale on ‘black market’ sites. Extensive healthcare data contains enough information to not just apply for credit cards or loans but it can compromise patients’ financial accounts and generate huge sums from fraudulent medical charges. As a result, healthcare data is at a premium, which does not bode well at time when data breaches are at an all-time high and organizations are still grasping how to handle new and improved threats.

On September 9, Health Insurer Excellus announced that their computers were targeted in a cyberattack that may have provided unauthorized access to more than 10 million personal records. Information may have contained names, birthdates, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information. The number of affected individuals also included members of other Blue Cross Blue Shield plans who sought treatment at a facility located in the Excellus service area.

There are fundamental problems with sensitive information in healthcare; many of those problems start and end with patient data. Data that is so attractive to criminals because of all of its uses, i.e. applying for financial accounts and loans, medical fraud, tax fraud and more. In an InfoWorld Article, Fahmida Rashid highlights that when it comes to healthcare breaches, there is more to come.

According to Rashid, “information contained in health care records has a much longer shelf life and is rich enough for identity theft. Social Security numbers can't easily be cancelled, and medical and prescription records are permanent. There's also a large market for health insurance fraud and abuse, which may be more lucrative than simply selling the records outright in forums.”

Most forums selling healthcare data are more specialized than places where payment card information is sold. What does this mean? Healthcare data breaches are significantly harder to detect. The FBI recently reported that hackers can receive as much as $50 a record for healthcare information. With some basic math that’s around $500 million in data for the group or individual who hacked into Excellus.

Given all the attention surrounding encryption, one might deduce individuals would feel much safer if the aforementioned data released was encrypted. But despite encryption’s popularity in the enterprise, the survey demonstrates that Americans remain skeptical. According to the survey, 91 percent reported that they would still be worried if the hacked data was in an encrypted file.

Misunderstand the value of encryptionEncryption technology alongside strong access controls and key management is a necessity for keeping sensitive data secure. By keeping healthcare data safe, individuals can rest assured that their most compromising information will not be exposed by those who safeguard their physical well-being. In this incredibly risky cybersecurity environment, preserving the integrity of encryption solutions is of utmost importance.

While threats in the physical world are mostly cut and dry, the cyber has proven to be quite covert. As we tackle threats and eliminate vulnerabilities, we need to increase awareness on what it means to stay safe within the cyberworld.