Category Archives: Medical ID Fraud

Doctors and Mobile Devices – Not A Secure Mix

Skycure, a mobile device protection vendor released its new mobile threat intelligence report and the data is not pretty.  One thing the report says is that 40% of the mobile devices are at risk of a network attack over a four month window.

Out of 51 million device scans in 2015, Skycure found almost 13,000 malicious apps.  They also say that 27+ million devices with medical apps installed might be infected with a high risk malware.

Aetna’s CSO, Jim Routh, has a horrible but accurate description of your cell phone.  He says “The mobile phone is the best surveillance device in history,” – “Each device is a potential attack target for personal data, company data, and, in the healthcare industry, the private medical and health information of patients and customers.  It’s imperative that both mobile users and their employers understand the risk and how to stay safe.”

Other statistics include:

  • 80% of doctors use mobile devices to assist their day to day practice
  • 28% store patient data on their mobile devices
  • 11% of mobile devices are running an OUTDATED operating system with HIGH SEVERITY vulnerabilities that might have stored patient data
  • 14% of mobile devices containing patient data likely have no passcode on them.
  • 27.79 million devices with medical apps installed might also be infected with high risk malware.
  • A whopping 52% of devices use passcodes – meaning half of the devices do not use a passcode.
  • While 88% of iOS users were using iOS 9, only 3% of Android users were using Marshmallow (Android 6).  I have written about this before and it is a place where Apple kills Google hands down.

Suffice it to say, the healthcare community has a big challenge ahead of it and it is not going away any time soon.

Information for this post came from IT Wire.

4 Health Care Breaches Reported This Week Alone

The Examiner reported about 4 health care data breaches on the 20th.  See if you can find a common element.

Information on 21,000 California Blue Shield customers, including health care info, was compromised when a vendor call center employee was socially engineered, their login information compromised and their customer data stolen.

Last week Montana’s New West Health Services said an unencrypted laptop with data on 25,000 patients was stolen. It included patient information, bank account information health information and other information.  On an unencrypted laptop out in the field.

Also last week, at St. Luke’s Cornwall Hospital in New York, a USB drive was stolen with information on 29,000+ patients which included patient names, services received and other information.  The drive, it would appear, was not encrypted.  The reason I assume it was not encrypted is that if it was encrypted and the encryption key was not taped to the device, the hospital would not have to report this event.

Finally, Indiana University Health Arnett Hospital lost a “storage device” with information on 29,324 patients containing information such as patient name, birthdate, diagnosis, treating physician and other information.  Again, likely this information was not encrypted.

Anyone figure out the common element?  All of these events would have been non-events if these companies had reasonable cyber security practices in place.

The call center employee was socially engineered.

An unencypted laptop was stolen (where was it left)?  Why was it unencypted?  Why did it have patient data on it?

A flash drive with patient data was lost.  Why was  it not encrypted and did the data need to be on the flash drive at all?

And, a storage device was stolen.  That happens.  Why was it not encrypted?

How much training did the call center do to train employees about social engineering?  Why was the laptop not encrypted?  Why was the flash drive not encrypted? And, why was the storage device not encrypted.

I keep pointing to encryption because if you have a breach but the data is not readable by the thief, you don’t have to warn customers.  It is a very simple step to take.  JUST DO IT.

Only in the flash drive case could the encryption cause a problem if you need to be able to share the drive with someone else.  The other two situations, the encryption would be transparent to the user.

Especially when it comes to health data, you need to be careful.  AND this does not only mean hospitals and doctors.  Sony lost protected health information when they were hacked.  PHI has been lost in other hacks too.  Most organizations store PHI somewhere (often it is HR or in risk management).

While some things in cyber security are hard to do, many things are not hard to do.  If we start with the easy stuff, we do make the job harder for the bad guys.  Not impossible, just harder.  Let’s start doing the simple stuff.  We can worry about the hard stuff a little later.

Information for this post came from The Examiner.


Two Hospitals Learn They Had Been Hacked When FBI Visited

Recently, the FBI has been knocking on businesses doors.

First we heard about Scottrade.  In October the FBI came visiting Scottrade.  Hi.  How ya doin’?  Oh, by the way, we found files on 4.6 million of your customers on the dark web.  Have a nice day.

In September it was Owensboro Health in Kentucky.  The FBI visited them and said that they found their data on the web.  AFTER the FBI visit, Owensboro, now called OH Muhlenberg after a merger, found keystroke loggers on some of their computers.  They think they may have been there since 2012.  The computers with the keystroke loggers were used to enter patient financial data and health information.  Information potentially taken includes name, address, phone number, birth date, social security number, drivers license number, health plan information, diagnoses, treatment, bank account numbers, credit card information and other data.  In other words, anything and everything.

This is an example of what can happen if you don’t do cyber due diligence.  Owensboro bought Muhlenberg and got a free, full blown data breach at no extra charge.

In December, Maine General announced that they too had been visited by their friends at the FBI to tell them that they had been breached.  This breach seems a little less worrisome in that no financial data was taken – or at least they don’t think so.

The good news is that the FBI is telling businesses that they are finding their data on the web.  The bad news is that the FBI is telling businesses that they are finding ….

At that point, the cat is kind of out of the bag.

After the shock wears off, the CEO gets to call up his Chief Information Security Officer and tells him or her to bring his documented and tested incident response plan over cuz we need to use it.  Like now.  What?  You don’t have a Chief Information Security Officer?  Or an Incident Response Plan?  And that means that it has not been tested.  Oh-Oh!

Needless to say, this is NOT the way the CEO wanted to spend his or her day.  Or the next few years as he or she deals with regulators and lawsuits.  Not much fun at all.

The time to plan is before the FBI pays you a visit.

Information for this post came from Data Breach Today.

Healthcare Ranked #1 – Most Records Breached

This is the time of year for lists.  In this case, the healthcare industry is probably not happy about coming in #1.  IBM has named 2015 as The Year Of The Healthcare Breach, with 34 percent of all records breached being healthcare related.

In just the first half of the year, over 100 million healthcare related records were compromised.

The cyber security universe has focused a lot of its energy on fixing credit card related fraud.  While this is good, it is only solving a very small part of the problem.

An indication of this is that the price of credit card data on the dark web is down dramatically.  Part of this is due to the fact that the credit card industry has improved its ability to detect fraudulent use, but part of it, also, is due to the fact that there are so many fraudulent credit cards out there that there are not enough crooks to use them.

So what is an enterprising information thief to do?


Healthcare records can sell for 50 TIMES what a credit card record sells for on the black market.  Partly this is due to the fact that the insurance industry, both private and government, have not done a great job at cracking down on fraudulent use of healthcare information, but part of it is due to the fact that you cannot change your healthcare information if it gets compromised like you can change your credit card number.  As a result, the useful life of fraudulently used healthcare information is measured in years unlike credit cards, which is measured in days and weeks.

So now we know that healthcare breaches are bigger than credit card breaches, but what is bigger than healthcare breaches?

In my opinion, it is the theft of intellectual property.  This includes employees who leave a company and take customer files, proposals, and other IP as well as people who steal it for financial benefit.

Only occasionally do we get a glimpse of the size of this business and that is usually accidentally.  For example, last month when the attackers who stole customer information from J.P. Morgan Chase were indicted, we got a peek.  Remember, there was no bank account or credit card data in that theft.  Still, according to the U.S. Attorney, the attackers made hundreds of millions of dollars.  They did this by trading on inside information – theft of intellectual property.

And, for the most part, there is no law that requires that the theft of intellectual property be disclosed.  Assuming that the company even knows that it has been stolen.  After all, there is no credit card company or insurance company looking for the use of stolen intellectual property.  And the company still has its data.

Personally, I think that theft of intellectual property dwarfs all other forms of data theft.  And we are not spending a lot of effort stopping it.  China and other countries are masters of it.  By stealing, for example, the plans for the F-35 Joint Strike Fighter, China saved tens of billions of dollars.  First, they don’t need to spend the R&D dollars to develop, for example, new engines – they just copy what we did and second, they don’t need to buy those engines from us – costing us billions in business.  And, they take our technology and sell engines built with it to other countries, reducing the market for our engines – costing us even more money.

This is just a very obvious and large scale example, but on a much smaller scale, if a competitor learns your business methods, they don’t have to develop it themselves and will compete with you using your own processes and technology.  Or try and steal your customers away from you.  You get the idea.

So while healthcare is #1,  there is a hidden #1 that we are not even talking about.

Just sayin’.

Information for this post came from HITECHanswers and BreakingDefense.

Another Health Care Provider Hacked

DC based Blue Cross affiliate CareFirst announced last week that, like other Blues, they had been breached.  Information on 1.1 million customers  was compromised.  The good news is that this breach did not include health information or credit card numbers.  CareFirst is the 3rd Blue Cross affiliate to announce they have been hacked recently (the others are Anthem and Premera).  (see articles here and here).

Like many other firms, they hired the forensics firm FireEye to assess the damage.

However, CareFirst may be a little different than the other Blues.  In June 2014, almost a year ago, they discovered a breach.

Unfortunately, like forest fires in Colorado, you may think that you have put them out when there are still embers left.  CareFirst thought that they had eliminated the malware.

CareFirst did not do a complete assessment of their entire environment after the first breach.  In fact, it was not until after the Anthem breach that they undertook that investigation and that is when they found that they had not really eradicated the bad guys from their systems.  This decision will likely come back to haunt them as the witch hunts begin.

The healthcare industry has made the bad miscalculation that hackers are after credit card numbers and not personal health information.  Unfortunately, for over a hundred million Americans, that assumption has proved to be inaccurate.

In fact, health care information is selling on the black market for 4 to 10 times what credit card information is selling for ($20-$60 vs. $5).  There are probably several reasons for this, but two main ones are that credit cards can be killed very quickly to stem the bleeding, thereby decreasing their value and healthcare information can be used for many purposes over many years.

The BIG healthcare organizations are beginning to understand this and make investments, but they are years behind.  The small healthcare providers have a much bigger challenge because there are a hundred or a thousand times more of them than the biggies and they cannot afford the resources of the biggies.

This cat and mouse game will not end any time soon.


Medical ID Fraud A Challenging Problem

The Medical Identity Fraud Alliance (MIFA) and the Ponemon Institute released their fifth annual study on Medical ID fraud.

Short version of the results:  It is very costly, time consuming and complicated for consumers to resolve medical ID fraud and only 10 percent of the respondents to the study report achieving a completely satisfactory conclusion to the incident.

A copy of the report is available from Ponemon at this address.

Some of the report’s key findings are:

  1. 65% of the medical ID theft victims had to pay an average of $13,500 to resolve the crime.
  2. Only 10% of respondents reported achieving a completely satisfactory conclusion to the incident.
  3. Those who resolved the crime spent an average of 200 hours to resolve the issue
  4. Many respondents felt that medical ID fraud had a negative impact on their reputation due to having to discuss very personal subjects with a variety of people.

The report, about 40 pages long, has some interesting specifics as well –

  • 68% of the respondents are not confident that their health care providers security measures will protect their medical records.
  • About half of the respondents think that electronic health records (mandated by the ACA) increases their risk of being a medical ID victim.
  • In case of the theft of a respondent’s medical records, 80% want to be reimbursed for costs, 40% want the organization to notify them promptly and 28% want the organization to provide medical ID theft protection.

NOTE: organizations are not legally required to reimburse you (you can try to sue them) and there is  no such thing as medical ID theft protection.  This is all very different than credit card fraud and likely part of the reason that stolen medical records are extremely profitable to crooks.

  • While the rate of medical ID theft is relatively low (about 1% of the respondents), it has doubled in the last 5 years.
  • Approximately 60% of the respondents said their medical ID was stolen to get treatments, prescriptions or obtain government benefits.
  • 53% of the respondents said that a provider’s negligence caused or contributed to the theft while 30% were unsure.  Only 17% did not think the provider was part of the problem.
  • 47% of the respondents said that either a family member used their ID without permission or they shared personal information with someone they know (50/50 split), so a large part of the crime – but only half – is committed by someone the victim knows.
  • 69% of the respondents are either not familiar with or never heard of HIPAA and the privacy standards – even though everyone has to sign a HIPAA statement prior to getting healthcare.
  • Lastly, when asked why they don’t check their health records for accuracy, the respondents answered this way: 53% did not know how to, 39% trust their provider to do it, 35% said their records are not easily available, 33% said it never occurred to them and 25% said they didn’t care.

The last bullet is the most telling one, which puts medical ID fraud where credit card fraud was about 40 years ago.

Hopefully, we can make up the gap in less than another 40 years.