Health care files a rich trove for identity thieves
March 16, 2015 12:00 AM
Darron Cummings/Associated Press
The corporate headquarters of health insurer Anthem in Indianapolis. The Blue Cross Blue Shield insurer suffered a major data hack affecting nearly 80 million customers.
Darrell Sapp / Post-Gazette
The Fifth Ave Place headquarters of Highmark in view with the U.S.Steel Tower offices of UPMC, in Pittsburgh.
By Rich Lord / Pittsburgh Post-Gazette
The 80 million-person Anthem Inc. data breach jeopardized the identities of more than 750,000 Pennsylvanians, including 51,867 Highmark customers notified by letter last week.
It also reminded the information security world that health records — subject to strict privacy requirements — are a rich target for hackers.
“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.
Hackers also can comb through clinical information, looking for material to blackmail wealthy or powerful patients, added John Christiansen, a Seattle-based health care technology attorney.
While Pittsburgh hasn’t seen a massive breach of health information, technologists for area hospitals and insurers aren’t feeling smug as the data maze becomes more byzantine.
“The data is in a lot of different places,” said John Houston, UPMC’s vice president of privacy and information security. “It’s very complicated.”
Even before hackers took data held by Indianapolis-based Anthem — including some referencing customers of other Blue Cross Blue Shield affiliates treated in Anthem’s territory — health care data breaches involving 500 or more patients were trending up.
In 2011 and 2012, combined, there were 458 big breaches involving a total of 14.7 million people, according to the federal Department of Health and Human Services. In 2013 and 2014, there were 528 involving 19 million people. Around 10 percent of breaches stem from hacking, while around half are physical thefts of records or computers. The rest are inadvertent losses, unauthorized disclosures or improper disposals of health information.
In April 2014, a Highmark employee wrongly mailed out names, addresses, phone numbers, dates of birth, genders, medications and health information of 2,589 people. “The root cause was failure of a human being to follow policy,” and the solution was more training, Highmark chief privacy officer Lisa Martinelli said.
In November 2013, an employee at UPMC McKeesport was caught after snooping into the electronic medical records of 1,279 patients. The employee was fired, and hospital staff retrained.
UPMC’s computer system has been programmed to sniff out snooping. “If we see an employee that maybe had historically looked at five or 10 records a day suddenly look at 100, we look into it,” Mr. Houston said.
HHS also lists a 2013 breach involving South Side-based cloud computing company Pair Networks in which there was “unauthorized access/disclosure” of information about 8,845 individuals, according to HHS.
Pair declined comment. Reports on information security websites indicate that the data related to patients of HealthSource of Ohio, based in Milford, Ohio, and that Pair may have hosted the data but may not have been responsible for its security.
HHS spokeswoman Rachel Seeger would not discuss specifics. “As a matter of policy, the HHS Office Civil Rights does not release information on current investigations," she said.
In 2010, the Indiana Regional Medical Center reported a breach, and bolstered training, after an employee walked out with records including names of 1,388 patients. Earlier that year, an employee of the University of Pittsburgh was caught sneaking money and receipts, with credit card information, out of the Student Health Center.
The Health Insurance Portability and Accountability Act bars health care providers, insurers, claims processors, data clearinghouses and contractors from transferring personal health information without the patient’s permission.
Simple in principle, it’s getting more and more complex. Harvard University researchers have mapped the flow of medical information through some 50 entities at thedatamap.org.
Some of those entities “are either ignorant of what they have to do [to protect privacy] or don’t want to be bothered by it,” said Chris Apgar, president and CEO of Oregon-based Apgar & Associates, a health data security firm.
Mr. Houston said UPMC’s 50-person data security team’s job keeps getting harder. “Data is not just stored in our data centers,” he said. “We’re pushing more and more data out to devices so our clinicians in the field can do their jobs” via tablets or smartphones.
Hackers create sophisticated imitations of UPMC’s Web pages in efforts to “phish” passwords from employees or even patients who use the online patient portal. The health system uses fake phishing to test whether employees are loose with passwords.
Highmark’s data security team is contending with cloud computing, mobile devices, social media, data-hungry marketing firms and increasingly sophisticated hackers, said the insurer’s chief security officer, Omar Khawaja. The insurer blocks around 94 percent of incoming email, and also uses fake “phishing” emails to train employees, he said.
“The biggest vulnerability,” Mr. Christiansen said, “is still individual users doing dumb things.”
The punishment for being breached is embarrassment and corrective action in consultation with HHS — and rarely a financial settlement. In 2013 and 2014 — during which there were 528 breaches — HHS settled with 11 breached health entities that paid a total of $11,681,000.
Criminal prosecutions of employees of breached health systems are also the exception, according to Dennis Melamed, president of Virginia-based Melamedia LLC, which studies the federal agency’s breach response.
The Anthem breach won’t “change anyone’s mind about day-to-day internal operations,” Mr. Melamed said. “There are no strategies that aren’t without significant risk.”
To report inappropriate comments, abuse and/or repeat offenders, please send an email to
firstname.lastname@example.org and include a link to the article and a copy of the comment. Your report will be reviewed in a timely manner.