Hackers see health care as fruitful target

Associated Press

Health care is a treasure trove for criminals looking to steal reams of personal information, as the hacking of a database maintained by the second-largest U.S. health insurer proves.

The latest breach at health insurer Anthem Inc. follows a year in which more than 10 million people were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.

Health care hacking is becoming more of a focus as retailers and other businesses have clamped down on security after massive breaches at companies such as Target and Home Depot. That has made it more difficult in some cases for cyber thieves to infiltrate their systems. As a result, they’ve turned their attention toward health care.

Experts say health care companies can provide many entry points into their systems for crooks to steal data. And once criminals get that information, they can pull off far more extensive and lucrative schemes.

“If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,” said Tony Anscombe, a security expert with the cybersecurity firm AVG Technologies. “With medical records and a Social Security number, it’s not so simple.”

Anthem said late Wednesday that hackers broke into a database storing information on 80 million people in an attack the company discovered last week. The Blue Cross Blue Shield insurer said the hackers gained access to names, birth dates, email address, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had coverage in the past.

The insurer, which covers more than 37 million people, said credit-card information wasn’t compromised, and it has yet to find any evidence that medical information was targeted. Anthem Inc. doesn’t know how many people were affected by the attack, but a spokeswoman said that number was probably in the “tens of millions.”

The attackers used custom malware that was designed to avoid detection by anti-virus programs, said David Damato, managing director of FireEye, a Silicon Valley cybersecurity firm and corporate parent of Mandiant, an emergency response group hired by Anthem to investigate the breach. Damato said groups with that ability are typically either sophisticated financial crime rings or hackers backed by “nation states,” such as a foreign government. When asked if the investigation is pointing in either direction, Damato said he couldn’t answer.

“We’re very early on in the investigation,” he said.

It appears the attack was aimed specifically at a database that contained financial and personal identifying information, but not records of medical treatment, said Damato. “It’s fairly evident the attacker was focused on this one source of data,” he said, adding that the hackers may have performed “some sort of reconnaissance” to find that database.