Posts

Medical Identity Theft: 12 Million Patients Breached

Quest Diagnostics is a US-based company that provides medical testing services, and announced that it used third-party billing collection companies that were hit by a severe data breach. In fact, about 11.9 million Quest customers were affected.

The compromised information could include personal data of the patients, including Social Security numbers, as well as medical and financial information. However, laboratory test results aren’t included in the breach.

What Happened?

The AMCA (American Medical Collection Agency) is a billing collection service provider and informed Quest Diagnostics that it had an unauthorized user who gained access to the AMCA system, which contained personal information that AMCA got from a variety of entities, including Quest. AMCA provides its collections services to Optum360, which is a Quest contractor. Both Optum360 and Quest are working with experts to investigate the issue.

The company also noted that it still doesn’t have much information about the data security incident at AMCA, and it doesn’t know for sure what data was compromised. However, the company no longer sends its collection requests to AMCA and won’t do so until the issue is resolved.

Quest filed an SEC filing, which revealed that the attackers gained access to the AMCA system between August 2018 and March 2019.

According to one data breach website, Gemini Advisory analysts first discovered the breach. The analysts noticed a CNP (Card Not Present) database, which had posted for sale on the dark web’s market. It figured out the data could have been stolen through the AMCA online portal. Gemini Advisory attempted to contact AMCA but received no response, so it contacted the US federal law enforcement agency.

A spokesperson for AMCA says that, upon receiving the information that there was a possible data breach from a compliance company that worked with other credit card companies, it conducted an internal investigation and took down its payments page online. The company also said it was investigating the breach with the help of an unnamed third-party forensics company.

The Quest breach targeted primarily financial data with personal information (SSNs). That kind of information is significantly more lucrative than health information, which isn’t really marketable by criminals, at least not yet. The financial information disclosed was comprehensive and included bank accounts and credit card numbers. Therefore, victims could get their identities stolen and have financial transactions completed in their name.

Users of the website or the company need to get a credit freeze and monitor their bank accounts and credit cards for any unusual activity and might want to freeze their credit reports so that no new credit lines can be taken out in their name.

Action needs to be taken now to freeze your information with the credit bureau and warn the credit bureaus that your financial information might have been compromised. Along with such, financial institutions usually have programs available to take corrective action, which can prevent your credit card or account from being used without permission if your account has been compromised.

The issue is that insurance and healthcare information doesn’t have such a centralized process, which makes it extremely tough to prevent the use of this information from someone who doesn’t have permission to use it.

The Cybersecurity evangelist of Thales, Jason Hart, chimed in with the fact that multi-factor encryption and authentication of the collected data might have saved the companies and victims from having problems.

The VP of innovation and global strategy at ForgeRock, Ben Goodman, noted that this is the second known breach for Quest in just three short years. As a public company, it could lead to a variety of serious repercussions with respect to brand reputation, shareholder trust, and stock prices. He also said that the exposed data might result in litigation. When First American Financial Corporation was breached, it took just a few days for the company to get hit with a class-action lawsuit when it exposed 885 million documents full of sensitive information just last week.

The CISO and Senior Director for Shared Assessments, Tom Garrubba, wants to see just how quickly the Office of Civil Rights (an overseer of HIPAA compliance), rushes in to get information about the breach and to determine if any negligence was there and if Quest is to blame (partially or fully).

Through the HIPAA Omnibus Rule, business associates must handle any data with the care provided to covered entities (outsourcers). Those business associates have to provide due diligence to the covered entity.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon.com author, CEO of Safr.Me, and the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Healthcare High on Hackers’ Hitlist

If you think that retailers are the biggest target for cyber criminals, you have it more than a wee bit wrong. Hackers are really going after the healthcare and pharmaceutical industries. In fact, “Will Healthcare Be the Next Retail?” is the name of a recent report released by BitSight Technologies, a security ratings firm.

4DThe report claims that not all victims of healthcare hacking report breaches, so figuring out the total number of these attacks is difficult. However, the Ponemon Institute released a report stating that hacking into healthcare and insurance companies has jumped 100 percent since 2010.

Why such a jump? It could be due to the fact that healthcare-type enterprises have gotten onto the BYOD (bring your own device) bandwagon. This is almost analogous to an employee infected with a stomach virus coming into the building and spreading the sickness.

Another dynamic: as more doctors use technology to stay connected to their patients, it won’t be surprising to see breaches become more common in the healthcare sector.

What distinguishes healthcare-industry hacking from retail hacking is that the retail hacker simply wants a credit card number. But the crook who cracks into medical records—that’s your patients’ individual profile chockfull of personal medical information.

Healthcare hackers may want to steal your patients’ identities to commit insurance fraud, so your records should be diligently monitored.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Healthcare Establishing Customer Security Programs

Consumers really get stiffed when there’s a data breach, having to change their passwords, replace credit cards, and other bothersome tasks, not to mention the grief over stolen personal information.

10DHealthcare organizations (a prime target of cyber criminals for several reasons) need to think beyond the approach of, “Here’s how we’re protecting your data,” and shift their way of thinking to, “We are dead serious about our customers’ security.”

This is how healthcare organizations can be truly proactive. While organizations can’t reveal too much information about their security plans (since this can make it easier for exploitation), they DO need to be generous with candid messages about how vital it is to protect consumer data.

Throwing around the same generic, recycled language about “Here’s what we’re doing to protect you” no longer cuts it and doesn’t build a lot of trust in the consumer. Instead, organizations should impress upon consumers their devotion to security in meaningful and understandable ways.

Consumer security should be free to the customer. This will delight consumers and help ease their anxieties over data safety, while setting the organization apart from its competitors. That’s how to put the brand’s reputation at the top and build customer loyalty.

Key Features of a solid customer security program

  • Information must be protected at the time of sign-up/data collection, and protected should data be lost.
  • Being accountable for a data recovery and restoration in the event of a breach; this will build customer loyalty.
  • Financial loss must be recovered.
  • Credit reports must be restored.

According to AllClear ID, here is how healthcare organizations can make an impression on their customers:

  • Implementation of the most current IT practices should be done because it is paramount to secure mobile devices, access points, databases, cloud services, etc., and to better keep tabs on systems for breaches.
  • The security of employees’ personal mobiles and the organization’s devices needs to be stronger.
  • Employee training must be improved, from the bottom up, to reduce mistakes.
  • HIPAA compliance needs to be reinforced.
  • An identity protection plan must be created so that potential customers will have confidence in enrolling and feel less anxious about the fallout of a security breach.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Healthcare Providers: Customer Security is Good Marketing

Consumers are on red alert about sharing personal data with businesses, thanks to the widespread publicity of major data breaches. As a result, many consumers feel trapped when they know they must reveal personal information just to get basic quotes for healthcare services.

2PTo get a quote, the potential customer must fork over a Social Security number and birthdate—enough information for a thief to use to commit fraud and identity theft.

Consumers feel as if there’s no escape: Data can be stolen at any point: over the landline phone or smartphone, on “trusted” websites, in servers … thieves are just waiting to pounce. So even though a potential (or current) customer has faith in an organization, the customer may be afraid of the pathways they must use to interact with the organization.

Stolen healthcare information is a goldmine for cyber criminals. It’s big business. This means that protecting it is big business.

A way for healthcare organizations to set themselves apart from their competition is to put a big premium on caring about the customer’s data security. You can’t be nonchalant. You must create a striking impression of sincere concern.

Consumers need a lot more than just hearing how well you’ll reduce employee negligence, enforce HIPAA compliance and create methods of foiling cyber attacks.

Of course, consumers need assurance you’re doing the aforementioned tasks, but consumers also want to know what the healthcare organization will do in the event of a breach.

AllClear ID outlines the key strategies that will make a big impression on current and potential enrollees in a healthcare plan:

  1. The most state-of-the-art IT practices must be brought on board so that all facets are secured, such as cloud services, computers and smartphones.
  2. All levels of personnel must receive training to minimize errors and be able to comfortably discuss data security with customers
  3. A stronger security system must be set in place for the business’s computers and the employees’ personal devices.
  4. Adherence to HIPAA policies must be improved.
  5. Potential customers must be made aware that the company offers an identity protection plan—as this will ease apprehension in the potential consumer.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.