Another Health Care Provider Hacked
DC based Blue Cross affiliate CareFirst announced last week that, like other Blues, they had been breached. Information on 1.1 million customers was compromised. The good news is that this breach did not include health information or credit card numbers. CareFirst is the 3rd Blue Cross affiliate to announce they have been hacked recently (the others are Anthem and Premera). (see articles here and here).
Like many other firms, they hired the forensics firm FireEye to assess the damage.
However, CareFirst may be a little different than the other Blues. In June 2014, almost a year ago, they discovered a breach.
Unfortunately, like forest fires in Colorado, you may think that you have put them out when there are still embers left. CareFirst thought that they had eliminated the malware.
CareFirst did not do a complete assessment of their entire environment after the first breach. In fact, it was not until after the Anthem breach that they undertook that investigation and that is when they found that they had not really eradicated the bad guys from their systems. This decision will likely come back to haunt them as the witch hunts begin.
The healthcare industry has made the bad miscalculation that hackers are after credit card numbers and not personal health information. Unfortunately, for over a hundred million Americans, that assumption has proved to be inaccurate.
In fact, health care information is selling on the black market for 4 to 10 times what credit card information is selling for ($20-$60 vs. $5). There are probably several reasons for this, but two main ones are that credit cards can be killed very quickly to stem the bleeding, thereby decreasing their value and healthcare information can be used for many purposes over many years.
The BIG healthcare organizations are beginning to understand this and make investments, but they are years behind. The small healthcare providers have a much bigger challenge because there are a hundred or a thousand times more of them than the biggies and they cannot afford the resources of the biggies.
This cat and mouse game will not end any time soon.