Modern field guide to security and privacy

Premera hack: What criminals can do with your healthcare data

The Premera Blue Cross breach gave hackers valuable financial and medical data on millions of people. That information can be sold on the black market to criminals looking to commit identity theft, obtain prescription drugs illegally, or commit insurance fraud.


In one of the largest healthcare data breaches ever, hackers penetrated Premera Blue Cross and made off with the kind of information that can be far more devastating than any digital bank heist.

It seems that whoever intruded into Premera's network may have been inside its system for nearly a year, siphoning off the type of clinical data that security analysts say can provide crooks with virtually every single data element needed to clone someone’s identity.

While hackers who break into banks can get away with millions of credit card numbers, increasingly hackers are targeting healthcare networks for repositories of names, Social Security numbers, birth dates, bank account information, claims information, and clinical data. And it appears that the culprits behind the Premera hack were able to collect that kind of information on 11 million of its current and former members and those of other affiliate brands and Blue Cross Blue Shield plans as well.

Not only is this information being traded on the black market for people to commit identity theft, it's also being used to obtain prescription drugs and commit insurance fraud. For the individuals whose identities are used to perpetrate these crimes, their own medical treatments may be impacted, their health insurance disrupted, and their credit scores lowered.

“When someone has your clinical information, your bank account information, and your Social Security number they can commit fraud that lasts a long time,” says Pam Dixon, executive director of the World Privacy Forum. “The kind of identity theft that is on the table here is qualitatively and quantitatively different than what is typically possible when you lose your credit card or Social Security number.”

Indeed, medical identity theft is a growing problem. It impacted an estimated 2.3 million in 2014, up 21 percent over the previous year, according to the Ponemon Institute, a security and privacy research outfit. Victims of such theft on average had to spend $13,500 to resolve problems stemming from medical ID theft, according to Ponemon.

The group noted that on average people whose identities are being misused do not discover the problem for at least three months after the abuse starts. What's more, according to Ponemon, nearly 30 percent of victims have no idea how it might have happened.

Premera currently serves some 1.8 million members in Washington and Alaska. Experts say that victims of the breach should obtain a copy of their most recent medical records and check for discrepancies. They should also take advantage of credit and identity theft monitoring services and keep an eye on their Explanation of Benefits statements as they receive them, she says.

The Premera hack may also give rise to phishing campaigns, in which criminals e-mail victims in an effort to trick them into giving up even more information about themselves. Because of the nature of the information stolen, said Dixon, it's difficult to detect which e-mails could be fake and which are genuine, she said.

Premera is the third major organization in the healthcare industry to report a data intrusion in recent months. In February, Anthem, the nation’s second largest health insurer, disclosed that intruders gained access to personal records belonging to approximately 80 million people. Last August, Community Health Systems, a large Tennessee based health network, reported that hackers had broken into its systems and accessed records belonging to 4.5 million members.

Security experts see such attacks as proof criminal hackers are targeting healthcare with the same vigor with which they have attacked retailers and financial services firms in recent years. But unlike the retail sector, which has spent hundreds of millions of dollars bolstering security in recent years, the healthcare industry is still somewhat of a laggard on security.

The security firm WhiteHat Security recently discovered that within he healthcare industry only about 24 percent of known security flaws are fixed at any given time. On average, healthcare sites take about 158 days to close their vulnerabilities with some flaws remaining unpatched for much longer, said Robert Hansen, vice president of WhiteHat.

That's not good enough, said Mr. Hansen. "Unlike credit card numbers, healthcare information is nonrecoverable, and potentially lethal in the wrong hands," he said.

Healthcare organizations can take several steps to begin bolstering security, said Lysa Myers, researcher at security firm ESET, in a blog. Encrypting sensitive patient data while it's stored on a system or while being transmitted over a network can drastically mitigate the fallout of a data breach.

Similarly, healthcare firms could implement the principle known as "least privilege," in which only people who need access to sensitive data can access to it, said Ms. Myers. Financial information for instance, should be on a completely different network segment from the one on which healthcare information resides, she said.. “Any time you can restrict access without disrupting people’s ability to do their job, you should."

The increasing attacks also heighten the need for better user authentication measures, said Myers. Healthcare organizations should consider implementing a biometric authentication like a fingerprint or a one-time password for protecting access to sensitive data, she said.

There’s no such thing as perfect security against a determined adversary, Myers said. “But this does not mean we should not try to decrease risk and try to mitigate the damage if a security incident does occur."


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Premera hack: What criminals can do with your healthcare data
Read this article in
QR Code to Subscription page
Start your subscription today