NEW YORK (MainStreet) — Add CareFirst - the Maryland and Washington, D.C. BlueCross BlueShield - to the expanding list of insurers that have suffered data breaches. Over 1.1 million customer records have been acknowledged to have been stolen in a breach announced this week.
In the CareFirst breach there is a sliver of good news for victims - but there also are large helpings of bad news.
The bad news: because health records are “very valuable,” you should expect them to be under continued attack by skilled criminals, said Tom Patterson, vice president of global security at Unisys, an IT company. He stressed that health records typically sell for ten times what a credit card record fetches in the criminal marketplace and that explains the ferocious criminal interest.
The good news in CareFirst: The company, in a statement, said “[l]imited personal information was involved in this attack – for instance, no member Social Security Numbers, medical claims information or financial information was put at risk.” At CareFirst, apparently the criminals stole only customer names, email addresses, birthdays and subscriber numbers.
The still worse news: expect more successful breaches to be announced, sooner rather than later, predicted Cameron Camp, a researcher with security company ESET. That’s because the breaches at all three Blues are believed to have common attributes and very probably the same attacks will work - have already worked perhaps - at other Blues, suggested Camp. “For the attacker it’s like having a master key," he said. "They will use it over and over. You see a rash of breaches, in a short period of time.”
Security researchers told Mainstreet that very probably other insurers have already been breached - perhaps many months ago - and may yet to have discovered the penetration. “Companies need to think about the fact that they may not know there has been an intrusion,” said Jay Schulman, managing principal at IT security company Cigital.
“There may be breaches that have not been detected,” agreed Christopher Budd, security company TrendMicro’s global threat communications manager.
So far, the public has seemed largely unconcerned about the epidemic of health care breaches. But that may be changing. Budd raised an especially worrisome - and ugly - thought about the big insurer breaches and that is that, so far. “We don’t know who has the information and what they are doing with it," he said. "They may have uses that extend beyond the conventional.” He pointed to blackmail as a possibility.
Say an insured is HIV positive, or has liver damage from alcohol abuse, or has been treated for depression, or has any of many maladies that these individuals perhaps want to keep private from co-workers and bosses. Patient confidentiality has many guarantees under U.S. law, in most cases. But cyber criminals obviously are not operating under U.S. law, and what if they are harvesting medical information to use it against key people? “I have no doubt that somebody won’t get a job because their health history has been leaked,” said Schulman.
For the record, both Anthem and CareFirst have insisted that customer medical information was not stolen. Premera - a key insurer in the Seattle-area - has made no such claim.
Right now, nobody knows the intentions of the individual, or group, that has hit the Blues. Security researchers have said that they believe the players are state sponsored, probably operating in China. “This is like a Ludlum novel, there are a lot of dangers here,” said Alan Kessler, CEO of Vormetric, a data security company.
What is known - and what increasingly baffles experts - is that so far there is no evidence that the data harvested in the Anthem, Premera,and now CareFirst breaches have shown up for sale in the usual marketplaces. That leaves security experts wondering if the criminals are simply biding their time because they know health information has a long shelf life. “Credit cards are only valuable for 30 days," said Patterson. "Health records have long shelf life. There is no rush to get them on the market.”
Either way, the results may not be good for victims. With credit card breaches, just about always consumers are made whole so they suffer no financial losses. It won’t happen with medical information theft. “How do you make the victim whole? You can’t,” said Schulman. And that is why we all may find ourselves anxiously awaiting news of yet another health insurer breach because that news is just about certainly coming.
—Written by Robert McGarvey for MainStreet