Premera hack: What criminals can do with your healthcare data

The Premera Blue Cross breach gave hackers valuable financial and medical data on millions of people. That information can be sold on the black market to criminals looking to commit identity theft, obtain prescription drugs illegally, or commit insurance fraud.

In one of the largest healthcare data breaches ever, hackers penetrated Premera Blue Cross and made off with the kind of information that can be far more devastating than any digital bank heist.

It seems that whoever intruded into Premera's network may have been inside its system for nearly a year, siphoning off the type of clinical data that security analysts say can provide crooks with virtually every single data element needed to clone someone’s identity.

While hackers who break into banks can get away with millions of credit card numbers, increasingly hackers are targeting healthcare networks for repositories of names, Social Security numbers, birth dates, bank account information, claims information, and clinical data. And it appears that the culprits behind the Premera hack were able to collect that kind of information on 11 million of its current and former members and those of other affiliate brands and Blue Cross Blue Shield plans as well.

Not only is this information being traded on the black market for people to commit identity theft, it's also being used to obtain prescription drugs and commit insurance fraud. For the individuals whose identities are used to perpetrate these crimes, their own medical treatments may be impacted, their health insurance disrupted, and their credit scores lowered.

“When someone has your clinical information, your bank account information, and your Social Security number they can commit fraud that lasts a long time,” says Pam Dixon, executive director of the World Privacy Forum. “The kind of identity theft that is on the table here is qualitatively and quantitatively different than what is typically possible when you lose your credit card or Social Security number.”

Indeed, medical identity theft is a growing problem. It impacted an estimated 2.3 million in 2014, up 21 percent over the previous year, according to the Ponemon Institute, a security and privacy research outfit. Victims of such theft on average had to spend $13,500 to resolve problems stemming from medical ID theft, according to Ponemon.

The group noted that on average people whose identities are being misused do not discover the problem for at least three months after the abuse starts. What's more, according to Ponemon, nearly 30 percent of victims have no idea how it might have happened.

Premera currently serves some 1.8 million members in Washington and Alaska. Experts say that victims of the breach should obtain a copy of their most recent medical records and check for discrepancies. They should also take advantage of credit and identity theft monitoring services and keep an eye on their Explanation of Benefits statements as they receive them, she says.

The Premera hack may also give rise to phishing campaigns, in which criminals e-mail victims in an effort to trick them into giving up even more information about themselves. Because of the nature of the information stolen, said Dixon, it's difficult to detect which e-mails could be fake and which are genuine, she said.

Premera is the third major organization in the healthcare industry to report a data intrusion in recent months. In February, Anthem, the nation’s second largest health insurer, disclosed that intruders gained access to personal records belonging to approximately 80 million people. Last August, Community Health Systems, a large Tennessee based health network, reported that hackers had broken into its systems and accessed records belonging to 4.5 million members.

Security experts see such attacks as proof criminal hackers are targeting healthcare with the same vigor with which they have attacked retailers and financial services firms in recent years. But unlike the retail sector, which has spent hundreds of millions of dollars bolstering security in recent years, the healthcare industry is still somewhat of a laggard on security.

The security firm WhiteHat Security recently discovered that within he healthcare industry only about 24 percent of known security flaws are fixed at any given time. On average, healthcare sites take about 158 days to close their vulnerabilities with some flaws remaining unpatched for much longer, said Robert Hansen, vice president of WhiteHat.

That's not good enough, said Mr. Hansen. "Unlike credit card numbers, healthcare information is nonrecoverable, and potentially lethal in the wrong hands," he said.

Healthcare organizations can take several steps to begin bolstering security, said Lysa Myers, researcher at security firm ESET, in a blog. Encrypting sensitive patient data while it's stored on a system or while being transmitted over a network can drastically mitigate the fallout of a data breach.

Similarly, healthcare firms could implement the principle known as "least privilege," in which only people who need access to sensitive data can access to it, said Ms. Myers. Financial information for instance, should be on a completely different network segment from the one on which healthcare information resides, she said.. “Any time you can restrict access without disrupting people’s ability to do their job, you should."

The increasing attacks also heighten the need for better user authentication measures, said Myers. Healthcare organizations should consider implementing a biometric authentication like a fingerprint or a one-time password for protecting access to sensitive data, she said.

There’s no such thing as perfect security against a determined adversary, Myers said. “But this does not mean we should not try to decrease risk and try to mitigate the damage if a security incident does occur."