Excellus Blue Cross, a New York health insurer, has announced that in August of this year they discovered that their systems had been breached. Hackers gained administrative access to up to 10 million insurer’s personal records that were exposed over a two-year period and included information like names, birth dates, Social Security Numbers, mailing addresses, telephone numbers, claims and payment details, including credit card numbers – though a spokesperson from the company said that the total number of credit cards breached is a small portion of the total data accessed.
10 million records is small compared to the 80 million records hack Anthem announced at the beginning of the year but it’s part of a trend for 2015 that could end up being dubbed The Year of Health Care Data Breaches. Anthem’s hack was far-ranging and included current and former Anthem customers, Anthem employees and even non-Anthem customers whose insurers coordinate with Anthem to cover cross-state care. While not containing credit card information, it included much of the same data as what was lost in the Excellus breach – names, medical IDs, birthdates and social security numbers.
The truth? The concern is not the credit cards. Thieves might make small money here or there and cause some short term pain, but the data that hackers are looking for is that contextual, personally identifying information attached to those accounts that can be leveraged into bigger scams, tax refund fraud, and identity theft.
Smaller health care hacks, like the ones that affected the UCLA Health System this July and in the Montefiore Medical Center in June, all point to the value of this kind of data. Security experts and law enforcement alike warn that health care providers in particular are vulnerable to attack because most haven’t taken steps to protect their data the way e-commerce or financial institutions have been forced to do in the wake of intense scrutiny and large scale hacks.
Excellus is offering two free years of credit monitoring to affected clients in the wake of the breach, but such services don’t prevent identity theft, they just alert users after the fact if it occurs and most advise to continue monitoring their credit cards for suspicious activity anyway. Brian Krebs of Krebs on Security highlights just what little these kinds of credit monitoring really offer for breach-affected customers in a recent article regarding the fallout from the Office of Personnel Management breach earlier this year.
So long as knowledge-based questions are all that it takes to get into traditional username and password accounts (or used to create new identities whole cloth), these breaches will continue. It’s time for health care companies to learn from forward-thinking e-commerce and financial companies and adopt a robust, user behavior analytics system that will not only protect their customer data upfront but also protect the company itself from having stolen data used against them.