The recent hack of Anthem, one of the country’s largest health insurance companies, exposed the data of as many as 80 million customers, including many of their social security numbers. The magnitude of that data breach underscores not only the risk consumers are at but also just how valuable personal information is to hackers – especially healthcare data.
But it’s not just the pot of valuable data that makes health insurance companies attractive targets, but also the level of security at health insurance companies that make them susceptible, too.
[ Related: Health records are the new credit cards ]
“If you can hack your way into one of those you’d get just as much information if not more than if you hacked into a bank,” says Art Thomas, associate professor at the School of Information Studies at Syracuse University.
Longer shelf life
Health insurance companies store a lot more information about clients than a bank or credit card, which makes them prime targets for hackers.
“The health insurance company serves as a kind of hub because they’re brokers between bunches of different parties that have a lot to do with processing information,” says Thomas.
Health insurance companies that work with employers might have information about where a person works and their salary. They may also store a person’s address, social security number and payment of information, plus details about family members, too.
All that information is useful in establishing a profile of that person’s identity, Thomas says.
The more complete a profile, the more opportunities a scammer has to do harm, says Charles Tendell, CEO of Azorian Cyber Security. “I can steal your credit card and make a couple of purchases, but if I steal your personal information, I can go and create credit cards,” he says.
On the black market, this gives the data a longer shelf-life than stolen financial data, which could be worthless two weeks after it’s sold, says Cameron Camp, security researcher at IT security firm ESET. “Whereas you steal much more of a complete record in a health setting, it’s much more likely to be accurate and not have the half-life issue,” he says.
[ Related: Anthem Hack: Personal Data Stolen Sells for 10X Price of Stolen Credit Card Numbers ]
The more complete data set lets hackers get a clearer picture of the person. “Hackers can answer challenge questions to get into banking institutions and into Gmail accounts,” says Camp. Once a hacker has access to an email account, he or she can use “forgotten password” options to reset passwords for online accounts, which could make people who live mostly digital lives victims of additional fraud.
Tax fraud bonanza
Anthem has warned customers who may have been hacked to file their federal and state tax returns as soon as possible. Hackers could possibly could file false tax returns in their victim’s name using the stolen information and claim bogus refunds — a problem that the U.S. Treasury has already faced.
Intuit, the maker of popular tax software TurboTax, found that antifraud improvements by the IRS fueled up to a 3,700 percent rise in phony state filings. These filings were so rampant that TurboTax briefly suspended state filings. Camp says that state refund filings are a sweet spot for the use of Anthem’s stole information, which could cause fraud victims another headache, especially if they’re owed money in tax returns.
A slow-moving ship
The amount of data insurance companies keep isn’t the only reason they’re targets. In general, the insurance industry hasn’t kept pace with security trends, says Thomas. “Health insurance companies traditionally haven’t been as secure as a bank,” he said. “They’re just now realizing that they’re going to have to secure things a whole lot differently.”
[ Related: First medical apps built with Apple’s ResearchKit won’t share data for commercial gain ]
“They’re big ships to turn,” adds Tendell. “Even if they do start to run down the path of ‘we need to upgrade our security,’ it’s going to take months — if not years — to get to that point.” And by that point, the attacks may have changed to make that security obsolete.”
Legislation that would mandate reporting times after a hack is working its way through Congress, but won’t have much of an impact when consumers realize their data is at risk, says Tendell. That’s because it can take companies and institutions months to know if they for sure have been hacked.
“If the analysts come to the executive level and say we might have gotten hacked, eventually that’s going to fall on deaf ears like the boy who cried wolf,” he says. He recommends legislation to allow companies to go on the offensive and attack hackers who try to gain access to their systems, like allowing companies to launch DDoS attacks at hackers to knock them offline.
“In the cyber world, you’d see a lot of companies jump all over it,” he said.