SEWORKS-blog_banner.png

App Security Insights

High Profile Security Breaches: Healthcare Industry

Dec 7, 2017 1:00:00 PM / by AppSolid Team

High-Profile-Security-Breaches-Healthcare-Industry-Blog-IMG.jpg

High profile security breaches are so common in our mobile app-driven society that most of us are no longer shocked when a previously trusted company reveals a major breach. It’s easy to forget how much is at stake -- particularly for small businesses that offer apps.

Healthcare data occupies a uniquely sensitive niche. It can be used to access financial and other information, such as when a consumer pays for their health insurance online. It’s also among the most personal information people maintain. Know enough about someone’s health, and you can publicly embarrass them, predict how they might feel in the future, and perhaps even gain a keen understanding of their psychological vulnerabilities.

This is why business owners offering healthcare mobile apps must be especially diligent. There’s much to lose. The problem is that most businesses think it won’t happen to them. They think their security is good enough, or that their company is too small and unimportant to be targeted, or that their customers will be too savvy to fall for a phishing attack. The list of reasons companies dream up not to fully secure their apps goes on and on. But anyone can be a target. If these industry leaders could be targeted -- despite having access to the best minds the security industry has to offer -- so can you. Let’s take a look at some of the high profile security breaches that have targeted healthcare over the last few years.

Summit Reinsurance Services

Summit Reinsurance Services was the subject of a ransomware attack targeting at least one of its servers in early 2017. The breach began when a hacker attacked a Summit server. Five months later, the hacker encrypted thousands of files and demanded ransom to decrypt them. The long time lapse between the initial hack and the subsequent ransomware attack suggests that criminals may have stolen consumer data well before they initiated the ransom attack.

The breach affected numerous small insurance plans. WellCare of Florida, for instance, stated that nearly 25,000 consumer records were exposed in the breach. In Delaware, BlueCross/BlueShield reported that 19,000 consumers were affected.

Healthcare.gov/Obamacare

healthcare.gov-hack-blog-img.jpg

Healthcare.gov -- home to the Obamacare health exchanges loved by many and loathed by many others -- has long been the source of controversy. It’s also been a frequent target for hackers. Both critics and supporters of Obamacare warned that the site was insufficiently secure. That’s scary given how much personal data it requires -- everything from a person’s Social Security information to details about their family structure and health history.

Many of the attacks have been smaller scale undertakings that used behavioral engineering attacks to gain access to users’ passwords and other sensitive data. But in 2014, a massive attack targeted the entire exchange. A hacker breached security and planted malicious code on the site.

Like most things centering around the Obamacare exchange, the attack was immediately politicized. The White House insisted that no user data was stolen, and that the hole had been fixed. Republicans called the attack outrageous and insisted it could happen again. Exchange users were left in the cross hairs, unsure of whether their data was secure or not.

The health insurance exchange continues to be criticized for lax security. When the marketplace first opened, the clunky interface and dreadfully slow loading also garnered criticism. Critics claim that developers focused on fixing this first, rather than addressing the deeper issues with the site -- including holes in its payment system. It’s unclear how secure the exchange is today, but the current administration has been reducing funding to administer the site. This suggests we might be headed for another breach.

So what’s the lesson in the Obamacare disaster? Honesty is everything. Health insurance marketplace users continue to be uncertain whether their data is secure. Opposing political factions have sued the breach for their own ends, but have done little to ensure consumer security. Companies that are breached need to be honest. Anything that politicizes a breach leaves consumers to pick up the pieces. That’s not a good outcome for anyone.

Anthem/BlueCross/BlueShield

bcbs-hack-blog-img.jpg

Anthem landed in hot water in 2013, in the wake of allegations that its security holes exposed the private data of 600,000 people.

Anthem also, the parent company of health insurers BlueCross/BlueShield, reported one of the largest ever data breaches in 2015. The hack began when a hacker broke into Anthem’s servers, accessing nearly 80 million consumer records. The hack extended across several of Anthem’s brands, and centered around the data the healthcare provider used to market its products to consumers in numerous states.

Perhaps most troubling was the fact that the breach went unnoticed for weeks. A systems administrator uncovered the attack after seeing that a database query was running with his identifier code -- but not with his knowledge or permission.

The FBI investigated the attack, but no one was ever prosecuted. Some analysts say the attack looked like it might have come from China, or from another state actor. It’s unclear how or if the data was used, or what its impact could be. The breach could continue to affect consumers for years, as their information is made available on the black market.

Anthem gained public ire when it initially only offered a year of credit monitoring. Consumer watchdogs asserted this wasn’t enough. Ultimately, Anthem settled a $115 million class action lawsuit, without admitting any wrongdoing.

The healthcare giant was not required by law to encrypt its data, raising concerns about legal protections for healthcare consumers. In the wake of the breach, various state insurance commissioners demanded that Anthem change its security policies to prevent another disaster. Anthem has reportedly shelled out $260 million to comply with new state regulations requiring tougher security protocols.

It might not have been enough. In mid-2017, word came that another security breach had affected about 18,000 Anthem enrollees.

Various Medical Practices and Providers

You might not hear about them on the national news, but in regions across the United States, hacks targeting popular medical practices are big news -- and big trouble. These hacks demonstrate that you don’t have to be a giant conglomerate to be targeted by hackers. You just have to have data people want. Some of the biggest medical practice victims of 2017 include:

  • Arkansas Oral Facial Surgery Center: They were locked out of its own files when a virus encrypted X-rays and other patient records. An investigation suggested that no consumer data was stolen. Instead, the attack appears to have been an attempt at extortion or blackmail. The attack affected 128,000 patients.
  • Mid-Michigan Physicians Imaging Center notified 106,000 patients that they may have been targeted by a widespread data breach. The breach originated with McLaren Medical Group, which manages the group’s patient records. McLaren waited five months to report the breach to affected consumers and medical practices.
  • St. Mark’s Surgery Center was the victim of a ransomware attack that targeted data on 33,877 patients. A virus installed during the attack prevented the center from accessing patient records for four days.
  • Pacific Alliance Medical Center was the target of a ransomware attack that affected 266,123 patients. The attack targeted the medical practice’s servers, and encrypted consumer files, preventing providers from gaining access to them.
  • Emory Healthcare’s appointment system was hacked in 2017, potentially affecting 80,000 patients. Hackers removed appointments from the database, demanding ransom to get them back. Emory refused to say whether it paid the ransom, but the consumer records were eventually recovered.
  • Women’s Health Care Group of Pennsylvania discovered in May that 300,000 patient records may have been breached in an attack. The attack likely began in August, allowing hackers to comb through data undetected for months. The ransomware attack began when a server and workstation were infected with malware.
  • Peachtree Neurological Clinic was the victim of a 15-month breach that affected 176,295 patients. The neurological clinic had been targeted by ransomware in 2016, but narrowly avoided paying ransom. While working to regain access to encrypted files, security analysts discovered another breach that allowed criminals to access sensitive patient data. The clinic offered identity theft protection, and initiated a criminal investigation.

Fitbit

fitbit-hack-blog-img.jpg

Users might not put their Social Security numbers and addresses into their Fitbit accounts, but these accounts are still a rich source of valuable data. Hackers can learn where and when consumers do just about everything, not to mention access passwords, addresses, and other valuable details.

A 2017 breach affecting security firm CloudFlare targeted Fitbit, along with hundreds of other websites. Users who used other sites targeted in the attacks -- including Uber and OKCupid -- may have revealed dozens of pieces of data across multiple applications.

An earlier hack in 2016 also targeted Fitbit users. The hackers further tried to get replacement devices from Fitbit. 

TRICARE

The TRICARE data breach targeted at least 4.9 million consumers treated at a San Antonio military facility. Even more frightening, the breach was able to access data dating back to 1992, providing a rich variety of data.

Unlike many other high profile healthcare breaches, this breach involved the theft of physical healthcare records. Criminals were able to access the backup tapes for electronic healthcare records. The thieves stole the records from an employee’s car, demonstrating that careful protection of physical records is vital even in an electronic age. Some of the records were encrypted, but others weren’t. At the time of the breach, TRICARE had no policy about encryption.

It remains unclear how the thieves used the data. In a consolidated class action lawsuit about the breach, a judge dismissed most of the claims, arguing that the plaintiffs in the case had failed to show any specific harm caused by the breach.

CVS Pharmacy

CVS recently landed in trouble for exposing customer data through its photo processing booth. But earlier, in 2009, CVS was fined for violating federal HIPAA law, potentially exposing millions of consumers to data breaches. A few simple details about a consumer are often sufficient to gain access to all of their online accounts. That’s likely why criminals were so eager to target physical records in the TRICARE breach.

CVS failed to properly dispose of physical data, such as prescription pill bottles and prescriptions. Instead, the pharmacy dumped these items in open dumpsters. CVS also failed to provide consumers with an accurate privacy policy telling consumers how it stored and disposed of their digital and physical data.

It remains unclear whether and to what extent consumer data was used by thieves who were able to access improperly stored and disposed records.

Banner Health

Banner Health, a nonprofit healthcare system, was the target of an attack that affected at least 3.7 million of the health provider’s patients.

The attack targeted point of sale payment systems that processed credit and debit card payments at Banner locations selling food, beverages, and other consumer goods. Hackers pulled sensitive data from consumer credit cards, or so investigators initially thought. Eventually, an investigation revealed a much wider scope to the data breach. Criminals likely accessed numerous consumer healthcare records, including those containing birth certificates, Social Security numbers, and other information that can be used to steal identities.

Who’s Behind These Data Breaches?

Data is valuable, no matter who you are. It can be used as blackmail, sold on the dark web, or as a way to access consumers’ other accounts. So who’s behind most attacks? The highest profile security breaches often come from criminal organizations or state actors. Data on American citizens is highly valuable to nations like Russia and China.

Smaller breaches -- those that don’t make the news -- are more likely to come from insiders. That includes current employees, disgruntled ex-staffers, the contractor you hired last year, and anyone else who gains access to some of your data by working with your business. So it’s not enough to secure your data from outside attacks. You must also consider the role insiders may play in security breaches.

Hacks Are on the Rise -- and Your Business Could Be Next

In the popular imagination, hackers are still criminal geniuses operating in the shadows. But sophisticated hacks no longer require much technical sophistication. Simple hacks targeting healthcare entities show no signs of slowing down. For instance, hackers can now buy a tool on the dark net that offers instant access to an organization’s email system. It requires only that they send an email containing malware. When the recipient downloads the attachment, it gives access to the organization's directory. This usually includes at least one email password. From there, it’s just a few simple steps to gaining access to much useful -- and marketable -- information.


Behavioral engineering is also a perennially popular option. Hackers don’t have to hack at all with this strategy. They need to only gain the trust of an unsuspecting user. This means that businesses need to worry not only about their app security, but also about educating consumers about what legitimate and illegitimate communications look like.

The time to secure your business’s mobile applications is not following a breach. As the stories above demonstrate, that can cost you millions -- and millions more in goodwill. That’s money most businesses don’t have. Moreover, in an increasingly dangerous mobile application environment, strong security is a significant selling point. Consumers don’t want to have to worry that the price they pay for using your application is identity theft or a stolen credit card. So when you can assure them that you offer industry-leading security, you suddenly have a leg up on the competition.

Secure your applications today. With AppSolid, you get industry-leading protection without all the hassle, or the expense. That frees you to do what you do best. Get back to business, and leave the security to us. 

iOS-Backloading-and-Rogue-App-Stores-Big

Topics: Cyber Breach, Security Breach

Written by AppSolid Team