The NY Times recently published a story that yet another major health insurance provider-this time CareFirst, serving the Washington, DC area-had been breached. The attack exposes possibly as many as 1.1 million patients, though the company offers up that things like Social Security numbers and other sensitive financial data did not appear to be grabbed during the attack. That fact may be little comfort to someone who did have their name, e-mail and birthday compromised-it’s enough to be annoying, that’s for sure.
What I found most interesting, perhaps, was the idea that this breach happened in June of last year, but was only discovered when CareFirst, in light of the other high profile breaches, engaged a 3rd party to analyze their systems for weaknesses. It was during that review that the 3rd party discovered the June incursion-last month. While I am already a firm believer that most of the major hacks were discovered well enough after the initial breach, in part due to the quantity of data that was reported as stolen during the attack, to have been breached and exposed for nearly a year is a scary proposition. If anything, CareFirst and the patients that rely on the insurance company are quite lucky that the intrusion did not grant the bad actors access to anything beyond names, e-mails and birthdays. That the attackers were unable to pull any sensitive medical or financial data is amazing.
What does this mean for you?
As a consumer, surely you have a reason to be concerned. If someone has your personal information and are not doing what is necessary to secure that information, then you are in a pickle. For the customers of the previously hacked Anthem and Premera insurance providers, the consolation may be that, at this point, none of the personal and valuable information appears to have landed on the black market-this may indicate it was a state-based attack, as opposed to a hacker group out for profit (something else that notoriously security-lax health care companies are at risk for).
As a health care company? My advice would be to engage a security-focused firm to audit your facility and infrastructure as soon as feasible, and in an ongoing manner moving forward, to ensure things are as secure as they can and need to be. CareFirst, had they not brought in a company to check things out, may still not have discovered the 2014 incident. And once the initial audit has been performed, it would be a wise time to update corporate policies pertaining to device and information security, to ensure that your team is more vigilant and prepared moving forward.