fb-pixel Skip to main content

Hackers mine for gold in medical records

Breach of Anthem database may leave millions vulnerable

The Anthem logo at the company's corporate headquarters in Indianapolis.Darron Cummings/Associated Press

INDIANAPOLIS — Health care offers attractive growth opportunities for cyber criminals looking to steal personal information, the hacking of a database maintained by the second-largest US health insurer illustrates.

The latest breach, reported late Wednesday by the health insurer Anthem Inc., follows a year in which more than 10 million people were affected by health care data breaches — including hacking and accidents that exposed personal information, like losing a laptop — according to a government database. The numbers, compiled by the Department of Health and Human Services, show that last year was the worst for health care hacking since 2011, when more than 11 million people were affected.


The rise may be linked to businesses clamping down after massive breaches at Target and Home Depot. That has made it more difficult, in some cases, for cyber thieves, so they’ve turned to health care systems.

Experts say health care companies can offer many entry points for crooks. And once criminals get personal information, they can use it for more extensive and lucrative schemes.

‘‘If someone steals your credit card and home address, they might be able to buy something, but you can usually get that locked down quickly,’’ said Tony Anscombe, a security expert at AVG Technologies. ‘‘With medical records and a Social Security number, it’s not so simple.’’

Anthem said hackers broke into a database with information on 80 million people. The Blue Cross Blue Shield insurer said hackers got names, birth dates, e-mail addresses, employment details, Social Security numbers, incomes, and street addresses. The insurer, which covers 37 million people, said credit card data wasn’t compromised, and it has yet to find evidence that medical information was targeted. Anthem doesn’t know how many people were affected, but said it was probably ‘‘tens of millions.’’

Massachusetts Attorney General Maura Healey said she has begun an investigation of the Anthem breach.


“We are actively reaching out to Anthem, insurance providers and other attorneys general to determine the extent of the breach in Massachusetts,’’ and the circumstances behind it, Healey said in a statement.

Anthem, part of the Blue Cross Blue Shield federation, sells insurance in more than a dozen states, but Blue Cross Blue Shield of Massachusetts is a separate, independently run entity, said spokeswoman Sharon Torgerson. “If we find out our members are impacted, we will communicate and take appropriate, timely action,” she said.

The hackers may have simply been probing Anthem’s defenses and planning to return with a much larger attack, said Eran Barak, chief executive of cybersecurity company Hexadite.

Other experts caution that the hackers may have indeed made off with medical data, but Anthem has not discovered that yet.

Criminals who get Social Security or health insurance account numbers have shown more sophistication than the average fraudster, said Pam Dixon, executive director of the World Privacy Forum. Rather than use the information right away, she said, some crooks will sit on Social Security or insurance files for a year or more before using them fraudulently.

‘‘What they like to do is season the data for a time, to allow the credit monitoring subscription to expire, and wait until people get sloppy or complacent’’ about monitoring their accounts for fraud, she said.

Health data also commands a higher price than credit card accounts in the marketplace for stolen information, said Al Pascual, a senior analyst at Javelin Strategy & Research.


He estimated last fall that a medical record might fetch $50, while credit card information may be worth $5.

‘‘A health record has everything — financial account information, Social Security number, health information.’’