Unless you live in a log cabin on Loon Lake without any contact with the outside world (or you are one of a certain group of unnamed politicians who have offices in Rayburn, Longworth, Cannon, Russell, Dirksen or Hart), you know that breaches have become the third certainty in life. Over one billion records containing some form of personally identifying information have been grabbed by hackers since 2005. But make no mistake, the perfect storm that hit the healthcare sector in the past 90 days is not just more of the same.
Hacking healthcare is not the newest flavor of the quarter when it comes to serious data security problems. Long considered a secondary target behind the seemingly more lucrative financial sector, over the past few years, the medical industry has attracted both state-sponsored hackers and the attention of financially motivated cyber criminals. In 2014, the health and medical fields comprised 42.5 percent of breaches, while financial and credit firms only accounted for 5.5 percent of total breaches.
The recent history of healthcare compromises is alarming. Last August, Community Health Systems (CHS), a multi-state healthcare provider organization based in the Southeast, reported an enormous breach. Data associated with 4.5 million records, spanning patients in 29 states, was accessed over an approximately two-month period spanning April and May of 2014. The information stolen included names, addresses, Social Security numbers and birthdates. In some cases, telephone numbers and even the names of employers or guarantors were exposed. At the time, the CHS event was the second-largest health-related breach reported since the U.S. Department of Health and Human Services (HHS) started keeping track in 1997.
The mother lode of all health breaches came last month, when Anthem announced the compromise of more than 78 million records. In scale, the Anthem breach dwarfed every previous HHS-reported incident. The managed healthcare giant, which administers Blue Cross and Blue Shield plans across the country and has data for patients in at least 26 states, reported that the unencrypted exposed information included personal data—names, Social Security numbers, physical and e-mail addresses as well as patient phone numbers—and sensitive employment details such as individual compensation data. Many specifics about the breach haven’t yet been made public. While Anthem estimated the intrusion occurred over “several weeks,” security experts have theorized it could have actually begun almost nine months prior.
If that weren’t bad enough, an even higher stakes breach happened on the heels of Anthem. Premera Blue Cross, based in the Pacific Northwest, revealed that the health records for 11 million patients in at least three states had been exposed over a period that potentially extended for almost eight months. In addition to the standard fare of stolen information—names, Social Security numbers, birthdates and addresses—Premera warned that the financial, medical and claims data of current and former members had also been exposed.
At least two lawsuits have been filed by victims of the CHS exposure, and two lawsuits are already pending related to the Anthem breach. Three states have launched an investigation into the Premera hack and five suits have been filed to date. In response, several state and federal regulators have turned up the heat with Congressional Committees joining the fray.
A security audit carried out shortly before the Premera breach by the Office of Personnel Management (OPM), which has a contract with the insurer, identified critical security patches that hadn’t been applied in a timely manner. It remains to be seen if those findings spur any further investigative or regulatory action in light of the recently reported breach. But all of that is just on the business side of things.
Here’s what matters: Approximately 100 million Americans now face years of frustration and fear as a result of these breaches. While credit cards can be cancelled and bank account numbers changed, the exposure of names combined with birthdates and Social Security numbers creates an opening for identity theft that never really goes away. Add in the potential for criminals to alter victims’ medical records through fraudulent use of insurance coverage and other provider services, and the very health of millions of people could be jeopardized. And did I mention that fraudulent tax refund incidents have spiked?
So where do we go from here, and what does the rising-tide of healthcare breaches mean for cyber security? Organizations with deep troves of consumer, financial, personal and medical data continue to maintain networks with vulnerabilities that expose them to external threats as well as from improperly secured mobile media devices connected by medical professionals. At least one recent breach may have been related to the Heartbleed bug, for which a remediation patch is available but security firm Venafi, Inc. estimates only 3 percent of Global 2000 organizations have actually applied.
Defensive measures, from failure to encrypt data to information sharing about new exploits to threat-appropriate security postures, continue to lag behind hackers’ tactics. Healthcare organizations must make strong security a priority and work closer with cyber threat experts to stay one step ahead, or the resulting legislation will make Dodd-Frank look like a compliance walk in the park. Congress must pass strong cyber security legislation now, and if they work closely with industry perhaps they may be able to achieve this without forcing crippling compliance-related spending. The stakes—Americans’ financial and medical well-being — are simply too high to do anything less.
Levin is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on security, privacy, identity theft, fraud, and personal finance. A former director of the New Jersey Division of Consumer Affairs, he is chairman and founder of IDT911 (IDentity Theft 911).