Another Day, Another Health Insurance Breach

Monday, June 08, 2015

Peter Zavlaris


Insurance companies, especially those in healthcare, continue to be prime targets for cybercrime. Even a quick survey of recent disclosures shows that as many as 93.5 million personal records from insurers like Premera Blue Cross, Anthem, Community Health Services and American Income Life were compromised or stolen over the last two years.

The stolen records included detailed financial and medical record data — everything needed for identity theft, credit card fraud, medical billing fraud, and other cybercrimes. To put things in perspective, the number of records involved equals about 30% of the total US population.

Unfortunately, the list of breaches at health insurers continues to grow in line with the 50% per year increase seen across all industries in 2014. In mid-May Brian Krebs from reported on the latest breach at a health insurer:

CareFirst BlueCross BlueShield said it had been hit with a data breach that compromised the personal information of approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.

However, even more worrying than the theft of insurers’ data from internal IT systems is the threat that their customers face from compromised elements OUTSIDE the insurer’s firewall.

Earlier this year RiskIQ undertook a detailed survey across all insurance industry segments to assess the security risks facing the digital footprints of the top 41 insurers. In total, the survey cataloged and examined over 200,000 web assets and 770 individual mobile apps associated with these insurers. The results clearly showed that every one of the surveyed insurers had significant external security risks that could compromise both their perimeter security and their brand equity with consumers.

For example, the survey found that 100% had a minimum of 6 broken SSL certificates with 20% having over 900 — opening them up to traffic interception via man-in-the-middle attacks and domain squatting by phishing websites.

So while the potential threats from data thefts requiring the breach of an insurer’s security perimeter are daunting, they can pale in comparison to the risks from their ever-expanding digital footprints, all of which desperately need to be inventoried and secured. Left unchecked, these security holes provide cybercriminals with easy ways to launch attacks against unsuspecting insurance customers.

This was cross-posted from the RiskIQ blog.

Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.