Business
    Next Score View the next score

    Hackers mine for gold in medical records

    Breach of Anthem database may leave millions vulnerable

    The Anthem logo at the company's corporate headquarters in Indianapolis.
    Darron Cummings/Associated Press
    The Anthem logo at the company's corporate headquarters in Indianapolis.

    INDIANAPOLIS — Health care offers attractive growth opportunities for cyber criminals looking to steal personal information, the hacking of a database maintained by the second-largest US health insurer illustrates.

    The latest breach, reported late Wednesday by the health insurer Anthem Inc., follows a year in which more than 10 million people were affected by health care data breaches — including hacking and accidents that exposed personal information, like losing a laptop — according to a government database. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.

    The rise may be linked to businesses clamping down after massive breaches at Target and Home Depot. That has made it more difficult, in some cases, for cyber thieves, so they’ve turned to health care systems.

    Advertisement

    Experts say health care companies can offer many entry points for crooks. And once criminals get personal information, they can use it for more extensive and lucrative schemes.

    Get Talking Points in your inbox:
    An afternoon recap of the day’s most important business news, delivered weekdays.
    Thank you for signing up! Sign up for more newsletters here

    ‘‘If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,’’ said Tony Anscombe, a security expert at AVG Technologies. ‘‘With medical records and a Social Security number, it’s not so simple.’’

    Anthem said hackers broke into a database with information on 80 million people. The Blue Cross Blue Shield insurer said hackers got names, birth dates, e-mail addresses, employment details, Social Security numbers, incomes, and street addresses. The insurer, which covers 37 million people, said credit card data wasn’t compromised, and it has yet to find evidence that medical information was targeted. Anthem doesn’t know how many people were affected, but said it was probably ‘‘tens of millions.’’

    Massachusetts Attorney General Maura Healey said she has begun an investigation of the Anthem breach.

    “We are actively reaching out to Anthem, insurance providers and other attorneys general to determine the extent of the breach in Massachusetts,’’ and the circumstances behind it, Healey said in a statement.

    Advertisement

    Anthem, part of the Blue Cross Blue Shield federation, sells insurance in more than a dozen states, but Blue Cross Blue Shield of Massachusetts is a separate, independently run entity, said spokeswoman Sharon Torgerson. “If we find out our members are impacted, we will communicate and take appropriate, timely action,” she said.

    The hackers may have simply been probing Anthem’s defenses and planning to return with a much larger attack, said Eran Barak, chief executive of cybersecurity company Hexadite.

    Other experts caution that the hackers may have indeed made off with medical data, but Anthem has not discovered that yet.

    Criminals who get Social Security or health insurance account numbers have shown more sophistication than the average fraudster, said Pam Dixon, executive director of the World Privacy Forum. Rather than use the information right away, she said, some crooks will sit on Social Security or insurance files for a year or more before using them fraudulently.

    ‘‘What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent’’ about monitoring their accounts for fraud, she said.

    Advertisement

    Health data also commands a higher price than credit card accounts in the marketplace for stolen information, said Al Pascual, a senior analyst at Javelin Strategy & Research.

    ‘A health record has everything.’

    Al Pascual, Javelin Strategy & Research analyst, on the appeal of medical files over credit card numbers for cyber thieves, a financial research firm 

    He estimated last fall that a medical record might fetch $50, while credit card information may be worth $5.

    ‘‘A health record has everything — financial account information, Social Security number, health information.’’