After an online attack on Anthem, by far the largest breach in the industry, security experts warned on Friday that more attacks on health care organizations were likely because of the high value of the data on the black market.
Anthem, one of the country’s largest health insurers, said the hackers did not appear to have stolen information about its customers’ medical claims. But medical identification numbers were taken, along with Social Security numbers, addresses and email addresses, which could be used for medical fraud.
According to a federal database, many much smaller attacks across the country have included both medical records and financial information.
Medical identity theft has become a booming business, according to security experts, who warn that other health care companies are likely to be targeted as a result of the hackers’ success in penetrating Anthem’s computer systems. Hackers often try one company to test their methods before moving on to others, and criminals are becoming increasingly creative in their use of medical information, experts say.
“The industry has become, over the last three years, a much bigger target,” said Daniel Nutkis, the chief executive of the Health Information Trust Alliance, an industry group that works with health care organizations to improve their data security.
The publicity surrounding the breach, which exposed information on about 80 million people, is already generating phishing email scams, in which criminals posing as legitimate businesses try to persuade people to sign up for bogus credit protection services and provide personal information about themselves.
On Friday, Anthem sent out an alert to its customers warning them of the scam, which the company described as an “opportunistic” attempt to take advantage of news of the breach, but the company emphasized it had no evidence that the scam artists were the hackers.
The company, which operates under a series of Blue Cross plans in states like California, Connecticut and New York, is working with federal investigators to determine the source of the attack. Some signs continued to point to China, which has previously been thought to target health care companies, although the investigation is still in its early stages.
If Chinese hackers are responsible, it raises an immediate and hard-to-answer question: Are they acting on behalf of the government? Or are they independent actors, seeking to sell the information they have obtained?
–
Last year, 18 health care providers reported data breaches because of some form of hacking. Information at Centura Health was compromised last year after a phishing scheme obtained access to employee email accounts. The data included, in some instances, Social Security numbers, Medicare beneficiary numbers and clinical information for 12,000 patients of the facility, based in Englewood, Colo. In another case, a keystroke logger virus that infected three computers for a few weeks early last year at the student health center at the University of California, Irvine, may have captured patient’s health and dental insurance numbers and diagnoses.
Health care providers have sharply increased their spending on data security in the last year, but they remain technologically far behind other industries, say experts.
“When we go to a health care show and you look at the screens of different systems, it’s like we’re looking at Windows XP,” said Bob Janacek, a co-founder and chief technology officer of DataMotion, an email encryption and health information service provider. “But you go to a banking show and they’re talking about how to slice a billionth of a second off a transaction to get a competitive edge, it’s just totally different.”
In the new electronic records world, security experts say the risks of a data breach are found on many fronts. For instance, there are systems and protocols that allow for patient medical records to be encrypted and emailed from one provider to another, but some doctors are sending clinical records through personal email accounts using their own smartphones or tablets.
The Anthem breach has become the subject of intense regulatory scrutiny. Several state attorneys general are also conducting their own investigations or considering doing so, including George Jepsen, the Connecticut attorney general.
The National Association of Insurance Commissioners, a group of state insurance regulators, said it planned a multistate examination of the insurer. “We are in agreement that an immediate and comprehensive review of the company’s security must be a priority to ensure protection of consumers who are covered by Anthem,” said Monica Lindeen, the association president and the Montana insurance regulator, in a statement.
Tara Siegel Bernard, Matthew Goldstein and David E. Sanger contributed reporting.
A version of this article appears in print on February 7, 2015, on page B1 of the New York edition with the headline: Data Breach at Anthem May Augur a Trend. Order Reprints| Today’s Paper|Subscribe
