Tuesday, April 23, 2019

Blue Cross of Idaho Alerts Patients of Data Breach in Payment Fraud Hack


 Here is a new twist in healthcare data breach security.  

Patient PHI (Protected Health Information) is incredibly valuable to criminals because it almost always contains all the information necessary to successfully complete identity theft.  There aren’t a lot of places on the Internet where nefarious parties can find that much data all in one place and that is why there is such an effort, both by the feds and the industry, to keep that data secure.  A patient record can easily contain, name, address, phone, SSN, DL number, DOB, and lots of other information.  All of that information on massive amounts of individuals is valuable to those wanting to commit identity theft OR to sell the data to those who do.  The last I heard, a clean credit card number was worth about $.50 while a health record was worth about $15.  And that is why we see such an effort by cyber criminals to break into databases and make off with this information.

However, the Idaho Blue Cross hack is a twist on cyber theft.  Rather than simply breaking in and stealing patient data, in this case the thieves attempted to intercept payments and have them rerouted to the thieves bank accounts.  Normally providers (doctors, hospitals, etc) would submit electronic claims for payment and Blue Cross would send the funds electronically to the providers bank accounts.  This is routine and happens in healthcare every day.

 In this case, the hackers broke into the website and attempted to reroute payments that were supposed to be routed to providers, but instead were to be routed to the criminal’s accounts.  While it’s terribly illegal, one has to admire the crooks ingenuity.

Fortunately, the security team at Blue Cross of Idaho managed to catch the hack the same day that it was perpetrated.  This allowed them to shut off the hacker’s access and prevent further damage and theft.  I salute those professionals for an incredible job well done!  

The bad news for Blue Cross of Idaho was that in addition to the hackers gaining access to portions of the system, they also inadvertently managed to gain access to some PHI in the process.  This means that about 1% of the company’s insured customer base.

The FBI was immediately informed of the breach and an investigation into the hack was commenced immediately.  Insured customers will receive now ID cards & new membership numbers as soon as possible.  They are also being given 3 years of ID theft restoration as well as 3 years of free credit monitoring services.  The access to the PHI seems to be not what the crooks were after, but happened none the less.  At this point it has not been determined how the hackers got into the system, but hats off to the security pros who noticed something was amiss and shut it down fast.

As always, let this be a lesson to anyone in the field.  Our data is valuable and you cannot leave security to inexperienced people.  Data security MUST be handled by well trained professionals and cannot be taken for granted.  The healthcare system is a favorite target for hackers and will continue to be for the foreseeable future.

1 comment:

  1. Hi there, I read your blogs on a regular basis. Your humoristic style is witty, keep it up! Thank You For Providing Such a Unique and valuable information, I enjoyed this blog post, For the best dental information you can Walk In Clinic Tomball, Restoration Smiles.