CareFirst became the third major health insurance company in the USA to disclose a data breach which potentially compromised customer information. It’s been reported that the attack could affect as many as 1.1 million of its customers but, according to CareFirst, the hackers did not gain access to sensitive financial or medical information such as social security numbers, credit card information or medical claims. They did, however, have access to names, email addresses and dates of birth.
The company said the breach happened last June and described it as ‘sophisticated’.
Mark Bower, VP at HP Security Voltage explained why healthcare companies are prime targets for hackers. “Healthcare entities are the new data gold mines for attackers. The data is lucrative, often unprotected, and useful for medical and identity fraud.” Bower also explained that their compliance-driven security approach doesn’t help them when under attack. “Unfortunately, many healthcare firms do not have modern data-centric protection in place to neutralise breach risks of these kinds of attacks and are thus vulnerable to being plundered from advanced malware. One reason for this dilemma is the lack of regular enforcement of security standards like PCI DSS. Approaches that simply meet minimum compliance regulations are clearly not sufficient.”
Gavin Reid, VP of threat intelligence at Lancope has warned users what they can do to protect their data in these types of circumstances. “Limit who has your personal data when possible – share only with trusted providers that have a need to know. Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”