In recent years, federal prosecutors have broken up criminal gangs based in Armenia and Ukraine running massive Medicare and insurance-fraud schemes, but thus far, no information about the intent of the Utah hackers has been released by officials in that state and no fraudulent uses of the data have been reported.
That could come later, predicted Pam Dixon, executive director of the World Privacy Forum, a San Diego based not-for-profit organization that pioneered research into the once obscure field of medical identity theft. Dixon said the records stolen from Utah are likely to be used in medical frauds, and if that happens, fictitious records based on those frauds “are going to proliferate through health information exchanges and public health databases.”
But there is an up side, Dixon said. “I really see this breach as the marking of a new era,” she said. “This is the wake-up call that should and will mark the area in which healthcare providers realize their data is the most criminally desirable available.”
Utah Gov. Gary Herbert pledged last week to do all he could to restore citizens' trust in government operations, including hiring outside auditors to review all of the state's data security procedures.
“Our immediate priority is to protect those whose personal information has been exposed,” Herbert said in a statement. “Therefore, we will continue to work with law enforcement, including the FBI, to find the criminals responsible.”
The hack, which occurred March 30, was publicly disclosed by the Utah Health Department and the technology department on April 4.
A computer server operated by the technology department had been breached, with 24,000 Medicaid recipients affected, the state announced. Two days later, the victim count had jumped to nearly 182,000, and broadened to include an unspecified number of CHIP participants. By April 9, the number of affected individuals had soared to 780,000.
State officials said a “configuration error occurred at the password authentication level,” allowing hackers to “circumvent” its security system. Also, the hijacked server “was not configured according to normal procedure,” they said.
The Utah breach is larger than all of the previous ones attributed to hackers combined since HHS began requiring healthcare organizations to report breaches in September 2009. The Office for Civil Rights at HHS is required under stimulus law to post details of episodes involving more than 500 records on a public website, which as of last week listed 410 breaches involving 19.2 million records. Only 24, or 6%, involved incidents of hacking, exposing 550,083 records.
Security expert Michael “Mac” McMillian said there is no question hackers are interested in profiting from security lapses in the healthcare industry. “It's the old supply and demand scenario,” said McMillan, the founder and CEO of CynergisTek, an Austin, Texas,-based security consulting firm serving the healthcare industry. The black market value of an individual's identity information including a Social Security number is about $1, he said, compared with $50 for medical identity information.
Three months ago, McMillian said, one of his firm's healthcare clients called to report some “erratic behavior” on its network.
“We had them close off all of their external connectivity,” McMillian said. On close inspection, security experts discovered a highly sophisticated hacker had penetrated one portion of the organization's system not protected by commercial anti-virus software. The malware deposited there established a beachhead and proceeded to shut off the anti-virus software in other parts of the system and close down its internal auditing function. Then, the virus went to work on its real mission, McMillan said.
It “began to collect very specific patient information, identities, Social Security numbers and put that information into a temp file,” he said. “And the software had this capability of packaging up that temp file and sending it back to China.”
“Fortunately,” McMillan said, because the external links were shut down, “we were able to find the temp fields and determine that none of them had been sent yet, so none of the information got out.”