Why Do Hackers Target Health Insurers?

Premera Blue Cross said yesterday that it had been hacked and its systems accessed over a period dating back to May 2014, a revelation that upended the insurance and health care industries still reeling from the massive Anthem hack just more than a month ago. What’s more, claims and clinical information was among the information exposed on more than 11 million people, which means that in addition to a financial intrusion, this hack is intensely personal for anyone with sensitive health information in the Premera ecosystem.

With the two largest hacks in healthcare history reported this year, and both targeting the payer side consumers might be wondering: Is health insurance under attack?

“Absolutely!” says Joseph Smith, the former CIO of Arkansas Blue Cross and Blue Shield and now a health IT consultant with HITvision. “Money talks, and if [hackers] can sell the information, they will pursue any source of that information.”

But that may not mean much more than if any other industry was the target, Smith continues. It’s true that health insurers hold Social Security numbers, which is the most valuable trove of personally identifiable information that hackers desire. However, he continues, there’s nothing especially special about the clinical or claims data health insurers hold.

Especially because of HIPPA and HITECH, hackers are spending a lot of time on a target to get at data that really doesn’t hold any additional value. And it’s not like there’s going to be a gold mine of other payment information behind the health insurance firewall that could yield any more financial value, he says.

“I believe hackers think there is more value than most of the data to be had. As I indicated, the Social Security number is valuable, but beyond that, the value of diagnosis and/or procedure health status data is not worth much -- except for some high profile people who may have some issue they are protecting,” Smith explains. “Further most health plans do not "retain" much in the way of bank account data nor credit card data, since that requires a much higher level of security -- as is required for banks – and it is much more expensive and complex to install and maintain.”

[See also: Anthem Breach: Warnings, Lessons for Insurance Companies]

That sentiment is echoed across the health insurance industry. When reached for comment, an Aetna spokesperson referred Insurance Networking News to blog entries on its site. In the posts, Aetna stops short of naming clinical information among a list of dataset that it classifies as “sensitive.” “

“Names, addresses, employment information, Social Security numbers (SSNs) and more are worth money on the black market,” Aetna writes. “Aetna has long worked to reduce the SSN “footprint” in its systems … Where possible, Aetna has removed the SSN from reports, stopped transmitting it in many cases, and masked the full number in many of its systems.”

Despite that reality that the most valuable information is available from any number of sources, health insurers understand why they are being targeted: That little bit extra might be valuable in the future. In fact, it’s an indication of the persistence of hackers that health insurers have been breached, as all insurers contacted by INN were adamant that data security is a top priority.

“Cigna recognizes that the health care industry is a potential target for cyber security threats – and we take the safeguarding of our customer and business information very seriously,” Cigna spokesperson Joe Mondy said in an e-mail. “To help identify risks, Cigna conducts regular assessments both in-house and with respected third-party assessors. We track all identified medium and high risk vulnerabilities through to closure by the vulnerability management team. Cigna has also been CyberTrust certified for the last 12 years, a third party validation consisting of multiple tests, policy reviews, and physical data center audits. We have multiple system products that detect, log, and alert us to suspicious traffic.”

Aetna writes that it “actively participates in coalitions of companies, the data intelligence community, health care providers and others to continually detect and share information about cyber threats,” and Smith says Blue plan customers can “count on” information sharing among the plans. However, breach victims and even IT staff who stop breaches are less likely to share with the general public details, Smith says.

“The key point for companies that have been victims of hackings, is to be transparent as possible on the fact that their data was breach…  but not give much at all on the specifics of how it was done,” he says. “Why should any company give heads up to hackers on what we have learned from their hacking strategy?”

[See also: 7 Ways Cyberinsurance Helps Rebuild Post-Breach]