Healthcare: the Champagne of Hacks

Posted February 12, 2015

An Anthem Healthcare Breach Could Pay Hackers Ten Times What They Could Hope to Make from a Home Depot Breach

Say you’re a cyberthief — hypothetically speaking. Anyway, you have a choice. You can hack a retailer and steal millions of credit and debit card numbers or you can hack a healthcare company and make off with millions of pieces of personal information — names, birthdates, Social Security numbers, street and email addresses.

Stolen healthcare information pays off better on the black market than credit and debit cards and healthcare companies are, as a rule, not as well protected as retailers. That’s Tim Greene’s contention in his article on cio.com. The following has been excerpted from Greene’s piece and edited to fit our format. You may find the full article by clicking on this link.

Worth more

“Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x in price on the black market,” says Martin Walter, senior director at RedSeal. That could be a conservative estimate, according to a report by PwC called “Managing cyber risk in an interconnected world: Key findings from The Global State of Information Security® Survey 2015.”

Complete ID-theft kit could go for a grand

“A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each,” the report says.

The price differential is due to the ability to use identity information – birth dates, Social Security numbers, addresses, employment information, income, etc. – to open new credit accounts on an ongoing basis rather than exploiting just one account until it’s canceled.

Can be used to access financial records

But that’s not all. “The information attackers were able to access from Anthem are key pieces of data that can be used to access someone’s financial records,” says Eric Chiu, president & co-founder of Hytrust, making it possible to find and drain individuals’ personal cash reserves.

Just a matter of time

[PwC] says this type of massive theft from a health provider should have been expected. “It was only a matter of time until hackers found out that it’s much easier to go after Social Security numbers and personally identifiable information with healthcare providers, which in comparison spend significantly less on security, making them tentatively easier targets.”

Financial losses up

Last year, healthcare providers and payers reported a 60% increase in detected incidents resulting in financial losses jumping 282% over 2013. The possible explanation: attackers are targeting healthcare entities for their patient health data

ThreatMetrix

ThreatMetrix

close btn