Excellus Blue Cross Blue Shield is the latest health care company to discover a data breach, but it likely won't be the last as attackers increasingly focus on the wealth of data buried inside health records.
Excellus discovered the breach on Aug. 5 and began notifying affected individuals earlier this week. Attackers may have gained access to personal information for as many as 10 million individuals, including name, date of birth, Social Security number, mailing address, telephone number, member identification number, financial account information, and claims information. The number of affected individuals include members of other Blue Cross Blue Shield plans who sought treatment at a facility located in the Excellus service area.
Retailers and banks tend to be popular cyber crime targets, but criminals understand that stealing health care records can be as valuable, if not more.
Financial data has a finite lifespan because it becomes worthless the second the customer detects the fraud and cancels the card or account. Most forums for such data have a high enough surplus of stolen payment cards that they have fire sales.
But information contained in health care records has a much longer shelf life and is rich enough for identity theft. Social Security numbers can't easily be cancelled, and medical and prescription records are permanent. There's also a large market for health insurance fraud and abuse, which may be more lucrative than simply selling the records outright in forums.
So far, Excellus said it had not seen evidence of the exposed information being misused. Also, no one knows at this point how many of the stolen records from previous health care breaches made it to the black market.
The FBI said recently criminals can sell health care information for as much as $50 a record. For the attackers who targeted Excellus, that's easily $500 million worth of information they have on hand, if they chose merely to sell them on the black market. The Anthem breach, discovered in February, was even bigger, affecting 78 million people.
Health care breaches aren't typically discovered through black market sales the way retail breaches were last year, because criminals monetize health care data in a different way than they cash in on financial data. Most forums selling health care data tend to be more specialized than the carding forums where payment card information is sold. Stolen health care data forums operate more like drug cartels, where health records are not sold outright, but rather used to buy and sell addictive prescriptions, said Angel Grant, senior manager for antifraud solutions at RSA.
"Health insurance credentials are especially valuable in today's economy because health care costs are causing people to seek free medical care with these credentials," Grant said.
Many experts believe the health care breaches are not the work of typical cyber crime gangs but of state-sponsored, well-funded groups. The Community Health hack, the first big health care breach, is widely believed to be the work of a Chinese espionage group. While attribution is extremely difficult, substantial "below the surface" noise links state-sponsored groups with other health care breaches, said Eric Cowperthwaite, a vice president of advanced security and strategy at Core Security. He was "quietly warned about nation state interest in health care" back in 2012, when he was CISO of Providence Health & Services.
It makes sense that governments would be interested in getting their hands on this data because it can be useful for building dossiers that reflect a deeper understanding of the target population. Medical and insurance records provide insights about where people live, what medical treatments they had, who their family members are, and who they work for.
Moreover, if the health care data stolen from these breaches was ever combined with the data stolen from the Office of Personnel Management, "it would be the Holy Grail of electronic data on almost all people with government clearances," Cowperthwaite said.
While retailers dominated data breach headlines last year, this year is all about health care companies -- with a twist. Many of this year's breached health care providers were actually compromised back in 2014, or in the case of Excellus, as far back as December 2013. It's quite likely more breach disclosures are ahead as organizations start taking a second look at their networks. Excellus only discovered the compromise because it asked for a network assessment after seeing reports of data breaches at other Blue Cross Blue Shield providers. Otherwise, it's quite possible the breach could have remained undetected longer.
"Health care, payers and providers both, are simply not prepared for the level of bad guy they are now facing," Cowperthwaite said.