Cyberattacks on Health Insurers ContinueThe Latest Victim: Washington Blue Cross Blue Shield Plan
A recent cyberattack on a Washington-based health plan, which the company believes was carried out by a foreign cybercrime group, is the latest in a series of hacking incidents targeting health insurers.
CareFirst BlueCross BlueShield Community Health Plan District of Columbia - formerly Trusted Health Plans Inc. - said the hacking incident affected 201,000 individuals and involved a network service, according the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
In an FAQ section about the incident posted on its website, the company says that on Jan. 28, it learned of an attack on its computer systems.
"They stole personal information," the statement says. Among those affected are anyone who has been an enrollee of CHPDC, as well as the enrollees of the former Trusted Health Plan Michigan. Also affected are members who were enrolled in the Harbor Health Medicare Advantage or Exchange plans before December 2017.
Current and former employees of CHPDC were also affected, along with providers who received payment from CHPDC for services provided to D.C. Medicaid enrollees as well as other business partners of the company, the statement notes.
Exposed enrollee information includes name, address, telephone number, date of birth, Social Security number, Medicaid identification number and medical information. Also exposed was certain claims information and, in some cases, clinical information, CHPDC says.
For current and former employees, personal information compromised includes name, address, date of birth and Social Security number.
Business partner and provider information affected includes business name, business address and Social Security number or tax identification number.
The health plan says it hired security vendor CrowdStrike to assist in taking a series of steps designed to further protect personal information. That included "changing every password, monitoring for signs of data misuse and finding out how the attack happened to avoid it from happening again."
CHPDC says it reported the incident to the FBI. "We believe that a foreign cybercriminal group was likely responsible," it says, without providing more details.
The health plan did not immediately respond to an Information Security Media Group request for additional details.
Health Insurers Targeted
Cybercrime has been increasing in all sectors, but the healthcare industry is a particularly appealing target for ransomware gangs and other criminals, says crisis management and investigations attorney Bill Moran of the law firm Otterbourg P.C.
"Healthcare providers, like hospitals, are more likely to pay a ransom than allow their systems to be shut down for an extensive period of time and potentially jeopardize the health of patients," he notes. "Hackers have preyed on health insurers and health plans because their online systems contain the personal information of both providers and their patients that may provide the keys to penetrate the online systems of the providers - as well, to a lesser extent, of their patients."
Hackers often attempt to sell stolen data - or their expertise in penetrating systems - on the dark web "to anyone who will pay," he adds.
Of the 151 health data breaches affecting about 12.3 million individuals added to the HHS tally so far in 2021, 27 breaches affecting more than 5.5 million individuals were reported by health insurers.
For example, Michigan-based Total Health Care recently reported a breach affecting more than 221,000 individuals.
The largest breach added to the federal tally so far this year, reported in January by health insurer Florida Healthy Kids Corp., affected 3.5 million individuals.
Since 2009, health insurers have reported to HHS at least 500 major health data breaches affecting a total of nearly 126 million individuals, according to the federal tally.
The largest health data breach ever added to the tally was a 2014 hacking incident affecting nearly 79 million individuals reported in February 2015 by health insurer Anthem Inc.
That incident resulted in several multimillion-dollar enforcement actions by state and federal regulators, as well as dozens of class-action lawsuits that were consolidated and settled for $115 million in 2018.
Among the state enforcement actions against Anthem in that incident was an $8.7 million settlement with then-California Attorney General Xavier Becerra, who is now secretary of HHS. That settlement resolved allegations that Anthem violated California’s consumer protection laws as well as HIPAA.
In 2019, two Chinese men were indicted on charges related to the breach of Anthem (see: Chinese Men Charged With Hacking Health Insurer Anthem).
'Gold Mine' for Hackers
Health insurers are a "gold mine" for stealing personal information as well as protected health information, says Cathie Brown, vice president of consulting services at Clearwater, a privacy and security consultancy.
"Health insurers are attractive targets for hackers because of the breadth and depth of data that makes up their business," she notes. "The foreign market for purchasing this type of data in bulk has grown, and nation-state hackers are exploiting this market, making large profits with relatively low risk of being caught."
Health insurers and other healthcare sector organizations need to implement a cycle of continuous risk analysis followed by risk management, she advises. "This approach allows for identification, prioritization and remediation of missing controls on a continuous basis."