The BlueCross BlueShield (BCBS) health insurance provider for western New York, Excellus, announced on Sept. 9 that a cyber attack of their computer systems was discovered Aug. 5. The investigation of the breach revealed that the attack started Dec. 2013 and has been functioning undetected ever since. The unauthorized access resulted in the exposure of 10 million personal health records and sensitive identification information. Information could include customers’ names, birth dates, Social Security numbers, mailing addresses, phone numbers, member identification numbers, financial account information and claims information. They did not expand on what might be considered part of “claims” information on their website.
Besides Excellus BlueCross BlueShield, Lifetime Healthcare Companies, Lifetime Benefit Solutions, Lifetime Care, Lifetime Health Medical Group, The MedAmerica Companies and Univera Healthcare are all part of the breach. The attack will also affect members of other Blue Cross Blue Shield plans who sought treatment in the 31 county upstate New York service areas of Excellus BCBS. Individuals who do business with us and provided us with their financial account information or Social Security number are also affected. The company’s BlueCross BlueShield operations were known as: BlueCross BlueShield of Central New York, BlueCross BlueShield of the Rochester Area, and BlueCross BlueShield of Utica-Watertown.
Excellus is “part of a $6.6 billion family of companies that finances and delivers health care services to upstate New York and long-term care insurance nationwide” according to its website. BCBS stated that at this time they have not determined if any data was removed from the system or that it was used. “As soon as we learned about the cyberattack, we immediately began working to close the vulnerability, and contacted the FBI,” said Elizabeth Martin, an Excellus spokeswoman. She said Excellus is cooperating with the FBI’s investigation.
Of course, security experts will tell you that this information could be sitting on the black market for years before being used. The information stolen is considered “rich” data since it includes information that can be used for identity theft or to create a “new” identity as well as information that could be used to compromise financial accounts. The loss of medical records, claims information, could be used to illegally get prescription drugs, expose medical information a person might want to keep quiet, or to get medical care.
Jay Foley, an identity theft victim issues expert, actually helped a woman whose medical identification card was stolen. The thief used her card when registering at a hospital to give birth. She was drug-addicted and abandoned the baby who was undergoing withdrawal, considered child-negligence. Police showed up at the victim’s house a few days later and arrested her. She had to prove she had not given birth recently, get child-protective records changed and fight the hospital to remove her name from the bills.
Cyber attacks of healthcare providers and insurance companies have increased in the last few years. However, Craig Lund, CEO of SecureAuth said that almost of these breaches could have been avoided if the correct security precautions had been taken. He spoke with this writer in an exclusive interview.
He explained that 95 percent of all attacks stem from compromised credentials and that 88 percent of healthcare breaches are due to spear phishing attacks, or directed attacks to imbed malware on specific users who have access to sensitive information. That means the key to blocking hackers is to robustly identify any person or device with access to a company’s computer system. Most companies use electronic credentials to keep employees from seeing all company records. Electronic credentials represent the various levels of approved access to databases and sensitive files. For instance, only people with the need to see billing information will be given access to that area of the computer system.
“To solve the problem of unauthorized use of credentials, SecureAuth developed a system that integrates with the client’s existing computer and security systems. When a user logs in to a PC or uses a mobile device they must identify themselves. It starts with a user id and password like most systems but goes far deeper. SecureAuth creates a digital fingerprint for each PC, laptop, and mobile device that is allowed to be used by employees.”
Lund explained that this digital fingerprint is the key to “avoiding” breaches. It is so sophisticated that it stops unauthorized users who are trying to tap into a system via a bot, a stolen mobile device and even insider theft. It recognizes various biometrics including voice, typical geo-locations of the device, if someone is trying to access information from an unauthorized computer, and unusual writing patterns.
The key to stopping cyber hacking is to stop them from using malware to laterally transfer through computer systems. While Lund was reluctant to discuss any breach specifically, he did say this: “No one can prevent all breaches. But in conjunction with a vigilant security team, by using robust access control and on-going reporting we can come very close to preventing the types of breaches we’ve been seeing.”