Wake-up call

Fraud may come later in his­toric Utah hack­ing case

Modern Healthcare - - THE WEEK IN HEALTHCARE - Joseph Conn

The ex­po­sure to for­eign hack­ers of the records of more than three quar­ters of a mil­lion Utah Med­i­caid and Chil­dren’s Health In­sur­ance Pro­gram ben­e­fi­cia­ries could be­come a wa­ter­shed event in the his­tory of health­care in­for­ma­tion tech­nol­ogy.

Where the count­ing left off last week af­ter a se­ries of in­creas­ingly wors­en­ing re­ports, Utah of­fi­cials con­cluded that the records of some 780,000 peo­ple had been ex­posed by a hacker at­tack on a Utah Depart­ment of Tech­nol­ogy Ser­vices com­puter sys­tem host­ing data for the two state health ben­e­fits pro­grams.

It was, by far, the largest breach of health­care records in­volv­ing hack­ers since HHS be­gan col­lect­ing breach re­ports in 2009 pur­suant to the Amer­i­can Re­cov­ery and Rein­vest­ment Act.

As many as 280,000 vic­tims of the breach also had their So­cial Se­cu­rity num­bers in­cluded in the com­pro­mised records and will be of­fered one year of free credit mon­i­tor­ing, state of­fi­cials said. Those of­fi­cials said hack­ers “be­lieved to be op­er­at­ing out of East­ern Europe” were the chief sus­pects.

In re­cent years, fed­eral prose­cu­tors have bro­ken up crim­i­nal gangs based in Ar­me­nia and Ukraine run­ning mas­sive Medi­care and in­sur­ance-fraud schemes, but thus far, no in­for­ma­tion about the in­tent of the Utah hack­ers has been re­leased by of­fi­cials in that state and no fraud­u­lent uses of the data have been re­ported.

That could come later, pre­dicted Pam Dixon, ex­ec­u­tive di­rec­tor of the World Privacy Forum, a San Diego based not-for­profit or­ga­ni­za­tion that pi­o­neered re­search into the once ob­scure field of med­i­cal iden­tity theft. Dixon said the records stolen from Utah are likely to be used in med­i­cal frauds, and if that hap­pens, fic­ti­tious records based on those frauds “are go­ing to pro­lif­er­ate through health in­for­ma­tion ex­changes and public health data­bases.”

But there is an up side, Dixon said. “I re­ally see this breach as the mark­ing of a new era,” she said. “This is the wake-up call that should and will mark the area in which health­care providers re­al­ize their data is the most crim­i­nally de­sir­able avail­able.”

Utah Gov. Gary Her­bert pledged last week to do all he could to re­store cit­i­zens’ trust in gov­ern­ment op­er­a­tions, in­clud­ing hir­ing out­side au­di­tors to re­view all of the state’s data se­cu­rity pro­ce­dures.

“Our im­me­di­ate pri­or­ity is to pro­tect those whose per­sonal in­for­ma­tion has been ex­posed,” Her­bert said in a state­ment. “There­fore, we will con­tinue to work with law en­force­ment, in­clud­ing the FBI, to find the criminals re­spon­si­ble.”

The hack, which oc­curred March 30, was pub­licly dis­closed by the Utah Health Depart­ment and the tech­nol­ogy depart­ment on April 4.

A com­puter server op­er­ated by the tech­nol­ogy depart­ment had been breached, with 24,000 Med­i­caid re­cip­i­ents af­fected, the state an­nounced. Two days later, the vic­tim count had jumped to nearly 182,000, and broad­ened to in­clude an un­spec­i­fied num­ber of CHIP par­tic­i­pants. By April 9, the num­ber of af­fected in­di­vid­u­als had soared to 780,000.

State of­fi­cials said a “con­fig­u­ra­tion er­ror oc­curred at the pass­word au­then­ti­ca­tion level,” al­low­ing hack­ers to “cir­cum­vent” its se­cu­rity sys­tem. Also, the hi­jacked server “was not con­fig­ured ac­cord­ing to nor­mal pro­ce­dure,” they said.

The Utah breach is larger than all of the pre­vi­ous ones at­trib­uted to hack­ers com­bined since HHS be­gan re­quir­ing health­care or­ga­ni­za­tions to re­port breaches in Septem­ber 2009. The Of­fice for Civil Rights at HHS is re­quired un­der stim­u­lus law to post de­tails of episodes in­volv­ing more than 500 records on a public web­site, which as of last week listed 410 breaches in­volv­ing 19.2 mil­lion records. Only 24, or 6%, in­volved in­ci­dents of hack­ing, ex­pos­ing 550,083 records.

Se­cu­rity ex­pert Michael “Mac” Mcmil­lian said there is no ques­tion hack­ers are in­ter­ested in prof­it­ing from se­cu­rity lapses in the health­care in­dus­try. “It’s the old sup­ply and de­mand sce­nario,” said Mcmillan, the founder and CEO of Cyn­er­gis­tek, an Austin, Texas,-based se­cu­rity con­sult­ing firm serv­ing the health­care in­dus­try. The black mar­ket value of an in­di­vid­ual’s iden­tity in­for­ma­tion in­clud­ing a So­cial Se­cu­rity num­ber is about $1, he said, com­pared with $50 for med­i­cal iden­tity in­for­ma­tion.

Three months ago, Mcmil­lian said, one of his firm’s health­care clients called to re­port some “er­ratic be­hav­ior” on its net­work.

“We had them close off all of their ex­ter­nal con­nec­tiv­ity,” Mcmil­lian said. On close in­spec­tion, se­cu­rity ex­perts dis­cov­ered a highly so­phis­ti­cated hacker had pen­e­trated one por­tion of the or­ga­ni­za­tion’s sys­tem not pro­tected by com­mer­cial anti-virus soft­ware. The mal­ware de­posited there es­tab­lished a beach­head and pro­ceeded to shut off the an­tivirus soft­ware in other parts of the sys­tem and close down its in­ter­nal au­dit­ing func­tion. Then, the virus went to work on its real mis­sion, Mcmillan said.

It “be­gan to col­lect very spe­cific pa­tient in­for­ma­tion, iden­ti­ties, So­cial Se­cu­rity num­bers and put that in­for­ma­tion into a temp file,” he said. “And the soft­ware had this ca­pa­bil­ity of pack­ag­ing up that temp file and send­ing it back to China.”

“For­tu­nately,” Mcmillan said, be­cause the ex­ter­nal links were shut down, “we were able to find the temp fields and de­ter­mine that none of them had been sent yet, so none of the in­for­ma­tion got out.”


The Utah breach is larger than all of the

pre­vi­ous ones at­trib­uted to hack­ers com­bined since HHS be­gan re­quir­ing health­care or­ga­ni­za­tions to re­port

breaches in Septem­ber 2009.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.