All posts by mitch tanenbaum

Why Medical Identity Theft Is Such A Big Deal

The insurance trade rag Property And Casualty 360 wrote about medical identity theft and the impact is staggering.

First just one example breach – A physician office’s server, which contained unencrypted information on 2,500 patients, was hacked and encrypted. The hackers demanded $50,000 to unencrypt the information and return control of the server.

That obviously, is pretty traumatic to the physician’s group, but why is medical ID theft important to you.  Here are a couple of reasons the article pointed out:

  • your credit rating can be damaged
  • Your health insurance policy could be cancelled
  • Your health insurance premiums could go up
  • Your health could be at risk

According to PhishLabs, a cybercrime protection services vendor, medical ID information is worth 10 to 20 times what credit card information is worth.

Why is that?  The answer is simple.  If your credit card is stolen, you get a new one and they shut off the old one.

How do you shut off your medical ID information and get new information?  Like a new social security number?  You don’t!  Which means the life expectancy of the stolen information is very long.  You could perpetrate ongoing crimes for years.

And, unlike credit card fraud where you are likely to review your bank or credit card statement when it comes in the mail, that is much less likely for medical ID fraud.  And the fraudsters could hide in the weeds for a year and then pop up, go into hiding again and rinse and repeat.

One question many people ask is where is the value in medical ID fraud.  One value is bogus insurance claims which translates to dollars.  An example might be that the bad guys say you now have diabetes.  Then they submit claims for all kinds of care.  Care you never knew about or got, but your insurance company will pay for.  Done cleverly, it would not throw up any flags.

But now, according to your insurance company, you now have diabetes and your electronic medical record says so (so it MUST be right).  If Congress repeals Obamacare next year like they have tried to do 40+ times so far, your insurance gets cancelled or your premiums go up.  Now you have to PROVE you don’t have diabetes.  And with all the interchange of electronic medical records, you are playing the whack-a-mole game.  You get your diabetes removed from one database but now provider A (where it still says your are a diabetic) sends an update to Insurance Company B (where you are not) and bam!, you are a diabetic again.

Worse yet, you have no way of knowing every place where your medical information lives (unlike credit, where if you correct the 3 main credit databases, you are pretty well covered).  Under federal law, the 3 credit reporting companies have to talk to each other if you even whisper fraud.  Not true for insurance and provider databases.  No particular laws cover this and that is not likely to happen any time soon.

For the consumer who gets sucked into this, it is a real mess.  How do you clean up a mess that you can’t even see (tell me every place your medical info lives – I dare you).



More Sony News

CORRECTION:  I said below that the hackers stole 25 GB of data.  According to CSO Online, they RELEASED 25 GB of data and this is only a fraction of what they stole.

UPDATE:  Brian Krebs ( is now reporting additional information:

  • The attackers stole 25 GB of data
  • The malware destroyed data on an unknown number of internal servers (as I suggested below)
  • The reason that employees were told to turn off their computers and disable Wi-Fi is that the malware destroys the Master Boot Record and wipes data on infected computers
  • One spreadsheet being floated around includes the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees
  • Another spreadsheet contains the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.
  • Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data

Assuming all this is true, then we are dealing with California privacy law (SB1386 and its relatives) as well, potentially, as HIPPA violations, bringing the Department of Health and Human Services’ Office of Civil Rights into the picture.  Both of these could bring large fines (HHS OCR can levy fines of up to $1.5 million per violation and they get very creative on what a violation is – could  be as much as each record being a violation).

On a side note, Target has said that their costs for last year’s breach is now $250 Million and that there won’t be any other material costs.  I assume this does not include any fines or judgements – that would be extra – since none of the cases have come to trial and the regulators have not said anything that I am aware of.

The good news just keeps on coming for Sony.

The most important takeaway from this is “How would my company deal with our version of this scenario?”  If the answer is not “Effectively, thank you!”, then there is work to be done regarding business continuity and disaster recovery.

  • The FBI released a confidential alert to businesses and requested it be distributed only on a need to know basis.  In only a few hours, published the details of it (this is why the Feds like to classify stuff.  If you publish something that is classified, you can go to jail for a long, long time – even if you claim freedom of the press.  Espionage laws trump that most of the time).  The gist of what was reported is that the malware wipes systems and overwrites data files making recovery very difficult, expensive and likely impossible to recover, except from backups.
  • On December 1st a spreadsheet was released with the salaries of the top 17 Sony Executives who make $1 million or more.  The spreadsheet also included names, job titles, home addresses, bonus plans and current salaries.
  • Sony is trying to find the miscreants who did this, of course.  It has been leaked that they have hired the cyber security gurus from FireEye’s Mandiant division.  My guess is those folks are helping to figure out how the attack took place and how to clean up the debris, as well as looking for any clues as to the source of the attack.
  • If the source of the attack is North Korea as speculated, then that is mostly a dead end.  If it was them, it was likely government sanctioned and I don’t think anyone is ready to invade North Korea over this.  Apparently, some of the software used in the attack was compiled in Korean.
  • Supposedly some business systems are back online, but Sony has not released any details.  How much work is left is unknown.
  • Sony is set to release two big budget movies this month (Annie on December 19 and The Interview on December 24).  Even if Sony manages to prop up the systems needed for the release process, the distraction  of the executives, the inability for the majority of the staff to operate normally and the media’s attention on Sony’s inability to keep their networks secure coulf have a negative effect at the box office.  On the other hand, some people say there is no such thing as bad publicity.  Only time will tell.
  • How much is all of this costing Sony – no clue yet.

Target Argues It Has No Legal Obligation To Banks Due To Last Year’s Breach

As the stakes go up, so do the creativity of the legal defenses.

According to an article in Bloomberg news,  Target says that they have no legal obligation to banks that claim they lost tens of millions of dollars as a result of last year’s breach and they want the judge to dismiss the case.

The banks argue that the Minnesota Plastic Card Security Act law, which is relevant because of where Target’s headquarters is located (in Minneapolis) allows them to recover losses.  The law requires businesses that don’t adequately protect financial information to reimburse for any losses from a breach.  Minnesota is one of 3 states that have such a law.

The law prohibits the retention of certain payment card data for more than 48 hours.  The prohibited data includes full card numbers, security codes, PINs and any full track data.

Target is, in effect, questioning the legality of this law.  They are arguing that in the absence of a “special relationship” with the banks, they aren’t responsible to the banks for anything.  I assume a special relationship is legal-speak for a contract.  Since Target has a relationship with a credit card processor and not the banks directly, that is the angle.

Target argued that the data theft happened at the point of sale and the plastic card law doesn’t apply.  Creative to be sure.

However, I don’t see anything in the law that requires a special relationship in order to invoke the law.  Nor do I see anything that says point of sale device attacks are excluded.

Given that there are hundreds of millions of dollars at stake if you assume that 40 million plus cards were compromised, it is not a big surprise that Target is grasping at any legal angle it can find.  If it only costs the banks $10 per compromised card to notify the cardholder, reissue the card, deal with calls, cover losses, etc., which I suspect is way low, that bill would be $400 million or more.  Oral arguments are scheduled for December 11th.  No matter the outcome, the decision is likely to be appealed, so don’t expect an early answer to this issue.

Assuming they are successful, they then have to navigate the interesting , landmine strewn, path of explaining to their customers, with whom they do not have a “special relationship”, that they should not be concerned about using their credit card at Target – or even shopping there – because Target is responsible if anything happens.  I want to watch that bit of spin doctoring.


Update on the Sony hack-attack

As I said in a previous post, it certainly appears that Sony is in the midst of a serious IT problem.  Sony has been extremely quiet except to say that they have a “system disruption” that they are “working diligently to repair”.

The important question to ask is “If this happened to our company, how would we deal with it?”.  These ransomware attacks are fairly common and, unfortunately, the only real way to know that you have removed the attacker’s access is to rebuild your entire network from scratch – which may be what Sony is doing.  What this means is having TESTED backups, backup copies of configuration data (preferably offline), and a staff that has actually performed the rebuild process before the crisis.  You may also need additional hardware as the cops may still be messing with your hardware.  You also need to understand how long the rebuild will take.  All this should be part of your disaster recovery plan.

Business continuity insurance likely would help pay for the costs if you have that and if it covers cyber disruptions (it may not – you may have to purchase cyber liability insurance to get cyber business continuity coverage), but checking on all of this in advance would be smart.

In terms of getting the data back that the attackers took, that probably is impossible.

The reason Sony shut off their internet connections world wide and forced people to use pencil and paper when this first happened a week ago is that, assuming this was not an inside job and the attackers don’t have co-conspirators inside the company, this is the only way to stop the attackers from doing more damage.

Unfortunately for Sony, employees have resorted to using their personal smart phones and Gmail, with the attendant security issues that represents.  The likelihood of getting that genie back in the bottle varies from slim to none.

For a publicly traded company like Sony, they will have to disclose the cost of this – between lost intellectual property, lost productivity, outside consultants and staff time to restore or rebuild what they need to do, the cost is likely in the tens of millions of dollars.  Not to mention, on top of those costs are litigation costs (certainly there will be lawsuits) and judgements.

It is not clear if the attackers told them to keep their mouths shut or whether they foolishly think they can keep the bad news under wraps by stonewalling the media.  If it is the latter, it is not working.

The group, calling itself the #GOP (not sure if that play on words is intentional), is reported to have obtained ‘corporate secrets’  and would leak them if their demands were not met.  It is being reported by some outlets that among the property lost were digital copies of celebrity passports such as Angelina Jolie’s.  Some outlets are saying that the attack is using a common form of ransomware, where the contents of file systems are encrypted with the GOP, in this case, hanging on to the decryption keys until their demands are met.

Variety, the trade rag for the movie industry, reported that five Sony movies have been leaked.  Four of these movies have not even been released yet.  The titles that were leaked were Fury, Annie, Still Alive, Mr. Turner and To Write With Love On Her Arm.  Fury was downloaded by 888,000 unique IP addresses.  These movies were DVD quality reviewer copies and were watermarked, but my guess is that the hackers do not care.  It is not clear if these purloined movies are part of the corporate secrets that would be leaked.  Certainly, leaking DVD quality copies of new movies that have not even been released could hurt sales.

According to the New York Post, staffers at Sony are being forced to use pen and paper to complete their work assignments.  The Post is also reporting that Sony is investigating whether North Korea is behind the attack since they are supposedly upset about Sony’s upcoming movie “The Interview”.  The New York Times is reporting that Sony’s information technology experts told an in-house conference call they were “making inroads” against the attack and expected to be back online by Monday.  What, exactly, that means is totally unclear.

The is reporting that bosses have told their teams that it may take three weeks to recover from the attack.  The Register displayed this picture in one of their reports:


All in all, this is another black eye for Sony which has had more than it’s share of hacks, a serious distraction for employees, a field day for the media,  millions of dollars in costs, likely lawsuits and probably more policies and procedures for employees to follow.



Cyber Security Weaknesses Would Reduce The Sales Price Of An Acquisition

An Article last week in the Pittsburgh Post-Gazette written by the law firm of Meyer, Unkovic & Scott LLP, stated what I would think is obvious, but apparently not.

78 percent of global dealmakers report that cybersecurity isn’t a part of the due diligence process before mergers and acquisitions.

And why, you ask, is that so?  The answer also seems obvious to me —

90 percent of survey respondents reported that information about past breaches or cybersecurity weaknesses would reduce the sales price of an acquisition.

Alternatively, and even worse from the broker’s or seller’s standpoint, some buyers might walk away from the deal, and that would be the last thing that the seller or broker want.  Since the broker is not legally required to suggest to the buyer that performing a cyber due diligence assessment and if one is performed, it might either reduce the sales price or blow up the sale, the broker is not going to suggest it.  Ultimately, the buyer is left holding the bag.

From the buyer’s standpoint, requiring a cyber security due diligence audit is a smart negotiating move.  If there are any serious issues then the seller should be required to fix them before the close or the buyer should walk away from the deal.  If the buyer is comfortable that whatever cyber security issues are present are not fatal, then the buyer can and should negotiate a lower price.

Assuming the buyer is using a broker or lawyer – and the buyer should be – It seems to me that it borders on negligence for the buyer’s agent not to strongly recommend that a cyber due diligence be performed prior to closing.

Mitch Tanenbaum