Major health insurance company discloses data breach

Yesterday, CareFirst became the third major health insurance company in the USA to disclose a data breach which potentially compromised customer information. It’s been reported that the attack could affect as many as 1.1 million of its customers but, according to CareFirst, the hackers did not gain access to sensitive financial or medical information such as social security numbers, credit card information or medical claims. They did, however, have access to names, email addresses and dates of birth. The company said the breach happened last June and described it as ‘sophisticated’.

Comments from the experts on this breach are;

Mark Bower, VP at HP Security Voltage:

“Healthcare entities are the new data gold mines for attackers. The data is lucrative, often unprotected, and useful for medical and identity fraud. Unfortunately, many healthcare firms do not have modern data-centric protection in place to neutralise breach risks of these kinds of attacks and are thus vulnerable to being plundered from advanced malware. One reason for this dilemma is the lack of regular enforcement of security standards like PCI DSS. Approaches that simply meet minimum compliance regulations are clearly not sufficient. Other industries like banking, payment processing and retail have learned all too painfully that being compliant means nothing when the attackers are already inside, stealing data from behind the quickly dissolving perimeter. It’s time for the healthcare entities to shift gears to modern data security defenses and join their peers in other industries who’ve already learned how to mitigate these threats and neutralise their data from advanced attacks to protect valuable data assets, enable data-rich analytic insight without risk, and prosper as a result to the delight of their customers.”

Gavin Reid, VP of threat intelligence at Lancope:

“Medical Identity theft

1) Why is this growing?

Three reasons: Large scale attacks to hospital patient record data bases, along with areas that are doing medical research, can be extremely valuable source data for pharmaceutical and other medical research. Some medical offices have unique patient records & histories spanning years that could never be recreated and have a huge research value. Secondly the patient records themselves often have very complete PII (Personal Identifying Information) sets that are easily used in the more common data theft scenarios. The last and increasingly common reason is where medical identity theft is used to create fraudulent insurance claims using a stolen identity

2) What can be done to stop it?

The medical industry as a whole has to up its game in security maturity especially basics like patching, security controls and incident detection.

3) What can a consumer do to protect him/herself?

Limit who has your personal data when possible – share only with trusted providers that have a need to know.  Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”