Saturday, February 7, 2015

Data Breach of Medical Information and Its Implications

With the recent string of data breaches in retail stores Target and Home Depot, which includes information such as credit and debit card data, you'd like to think that this would serve as a red flag for other companies and corporations to secure their systems more efficiently. Or, at least, the companies that have more sensitive and classified information, such as Social Security Number, would take better precautions to make certain that this information does not get into the wrong hands. Unfortunately, this was not the case on February 4th, when the health care company Anthem reported that they suffered an enormous data breach. As many as 80 million people's information could have been accessed when Anthem's servers were breached, which infamously makes it the largest in the industry. Although it is believed that medical claims were not stolen, the hackers had access to SSNs, addresses and medical ID numbers.

One implication of this information breach is that it can be used for identity theft.  With something as sensitive as a social security number, one person could transform into another fairly easily, as the SSN is used by many corporations to identify a person.

Of course, this is more of the "Harry and Marv" approach a la Home Alone: steal from one house and move onto the next, petty crimes, living from stolen possession to stolen possession. The hackers could morph into another person and continue to do this for the remainder of their existence; or, they could consider the information that they have at their disposal as an investment.

The hackers could sell the information on the black market or make it work for them by setting up phishing scams via email. People will pay a pretty penny for information such as credit and debit cards, and I suspect that the price for highly confidential data such as SSNs are even higher. With a copious amount of this data, a hacker could live on the dissemination of that information for the rest of their lives.

The other option is to send phishing emails. Phishing involves tricking the user into clicking on a link to a site that looks legitimate and prompts for sensitive information, but sends your information to a rogue source. A data breach of the magnitude could create a snowball effect in that the hackers could continuously "phish" for information and sell it.

With regards to who hacked Anthem, it is currently believed that China was involved, although it is not know if it was China and who is the responsible party: the Chinese government or independents. The Chinese government would be more interested in the bigger picture of this breach, where this could be an effort to obtain information on higher government officials in the United States.

When I make a doctor's appointment over the phone, I always finish the call in frustration, asking "why can't this be easier? why can't they do this online?". Although it would make the experience much easier, our personal information would be put in a place where it has the potential to be stolen. According to a study done by privacy firm Ponemon Institute, approximately 90% of health care companies have had at least 1 data breach over the past 2 years. The implications of sensitive information being stolen, such as identity theft and the selling of your life essentially, shows that security of these systems are not up to par. Or maybe the annoying phone calls to the doctor's office and maintaining paper records are more "secure" than maintaining that information online.

Source:
http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html?ref=technology&_r=0

No comments:

Post a Comment