Third Healthcare Insurer Hacked This Year; Affecting 1.1 Million
Yet another healthcare insurer reports a data breach, supporting the Ponemon Institute’s research that found criminal attacks on healthcare organizations have jumped 125 percent compared to five years ago. CareFirst BlueCross BlueShield was breached last June, and recently discovered that attackers accessed a database containing the data of 1.1 million current and former members in the District of Columbia, Maryland and Virgina.
This is the third largest healthcare insurer breach this year. According to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, the most targeted and valuable type of healthcare data includes medical files and billing and insurance records. This may make health insurance data attractive to attackers intending to sell or use it for medical identity theft.
In March, Premera Blue Cross reported that their network server had been hacked, affecting the medical and financial data of 11 million individuals. In an IT security audit report released last November, the Office of Personnel Management (OPM) found that Premera wasn’t using multi-factor authentication to protect physical access to their Washington-based data center computer room. Other security issues included the lack of timely patch management, and no insight into whether outdated or unsupported software was in use. A number of insecure server configurations were also reported.
Prior to the Premera breach, Indianapolis-based Anthem Inc. reported the mother of all healthcare breaches, affecting 80 million customers and employees. Malicious hackers obtained the administrative access credentials to an Anthem database, as the Wall Street Journal reported. They were also able to steal the credentials of five different technical employees at the health insurer during the attack.
And prior to being named Anthem, the company was known as WellPoint. In 2013, the company paid the Dept. of Health & Human Services $1.7 million after an online application database containing over 600k records was found to be accessible publicly online.
A Healthcare Insurer Breach Campaign? Or Merely Coincidence?
Now investigators and researchers are asking, is this string of healthcare insurer breaches merely coincidence? Or could they be perpetrated by the same threat actors?
According to the NYTimes.com, CareFirst’s chief executive said the Federal Bureau of Investigation is looking into their breach, as well as into the attacks against Premera and Anthem. While many news media outlets are quickly jumping to attribution, it’s still unclear and unconfirmed as to whether or not they’re related or state-sponsored.
Brian Krebs reported on ThreatConnect security researchers that analyzed the different fake domain names registered in China intended to mimic Premera, Anthem and CareFirst. The look-alike domain names use 1337/l33t speak to convert the “i” and “l” of the names to numerals (e.g., carefirst.com becomes caref1rst[dot]com). Apparently, the same bulk registrant in China that registered the Premera and Anthem domains earlier this year also registered the CareFirst domains.
ThreatConnect published an interesting domain name tree showing the different domain names registered, mimicking Anthem (formerly WellPoint) domains, including Virtual Private Networks (VPNs), Human Resources (HR) solutions and Citrix domains. This provides interesting insight into the applications the attackers were targeting - they may have been attempting to steal employee login credentials as they logged into remote access software and VPNs, as well as targeting specific departments, like the HR department. See part of the tree below:
Stolen login credentials appear to be a repeated theme throughout these breaches. One way healthcare organizations and healthcare vendors can protect their companies and patients is by lessening their reliance on passwords for secure access to their company applications.
By deploying a two-factor authentication solution, remote attackers can no longer log into your VPNs and cloud apps with just a stolen password. They’d have to sail across the sea and somehow steal your smartphone, too, as a two-factor solution using a mobile app requires verification of your identity via a push notification on your phone. This also helps protect users in the aftermath of a data breach, during which they’re often targeted with phishing email scams pretending to offer free credit monitoring.
Our newest solution, Duo Platform Edition, provides that type of two-factor authentication protection, in addition to advanced policies and controls based on user location, such as the ability to block login attempts from certain countries you never do business in. With real-time geolocation, you can also get insight into where your users are logging in from. And with geo-velocity, you can tell if a user attempts to log into your applications in a physically impossible way (one minute your user is in the U.S., the next he/she’s logging from China? Impossible).
###Securing Patient Data: Breach Prevention Doesn't Have to Be Brain Surgery For more about patient data security, download our newest industry guide, Duo Security's Guide to Securing Patient Data: Breach Prevention Doesn’t Have to Be Brain Surgery.
To help you navigate patient data security, our guide will:
- Summarize relevant health IT security legislation, including federal and state
- Provide information security guidelines on remote access risks and solutions
- Provide extensive security resources and a real hospital customer story
- Explain how to protect against modern attacks and meet regulatory compliance with two-factor authentication
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the healthcare industry.