Eleven people have been charged after a Blue Cross Blue Shield of Michigan (BCBSM) employee allegedly printed and shared screen shots of more than 5,000 subscriber profiles. The 11 people are charged with identity theft and credit card fraud, in what some observers are calling an example of how criminals can get past even the best HIPAA security measures.

Noting the insidious nature of such breaches, one former federal prosecutor says there are only two types of organizations: those that have been hacked and know it, and those that have been hacked and don’t yet know it.

In the BCBSM case, three of the accused used the stolen information to purchase more than $742,000 worth of merchandise at Sam’s Club, U.S. Attorney Barbara L. McQuade announced recently in Detroit.

According to the indictment, BCBSM employee Angela Patton printed screen shots containing subscribers’ profiles and gave them to other individuals who used that information to apply for credit in other people’s names and purchase merchandise in stores across the country. Co-conspirators were arrested in Texas, Ohio, and Michigan in possession of BCBSM screen shots coming from Patton’s work computer as well as counterfeit identification cards and credit cards in the names of individual subscribers whose personal information was included in those screen shots.

Agents recovered additional screen shots that included personal information belonging to thousands of BCBSM and Blue Care Network subscribers while executing search warrants at co-conspirators’ homes in metropolitan Detroit. The information included individuals’ names, dates of birth, and Social Security numbers. Counterfeit and re-encoded credit cards and gift cards also were recovered. The indictment alleges that three of the co-conspirators who used counterfeit credit cards at major stores and warehouses fraudulently obtained more than $742,000 worth of merchandise from Sam’s Club alone.

More data and more threats

Former federal prosecutor Thomas G.A. Brown says the BCBSM case is typical of the way healthcare providers are likely to suffer a HIPAA breach. Brown ran the cybercrime unit in the U.S. Attorney General’s Office of the Southern District of New York for 12 years. Until 2014, he was involved with investigating and prosecuting such notable crimes as the Citibank hack, the Silk Road billion dollar drug web site, and many healthcare data breaches. Brown is now senior managing director of the Global Risk & Investigations Practice with FTI Consulting in Washington, DC.

His experience gives him unique insight into how criminals breach data security. “I spent a lot of time in small rooms with hackers and got a very good sense of how they think, why they target things, what they look for, and how they exploit it,” Brown says. “We’re seeing a growth in the volume of sensitive data being collected by companies, and we’re also seeing an increase in the ways that information is accessible through the Internet. That works in the favor of the hackers.”

The BCBSM data breach was not the type most healthcare organizations expect, Brown says, but it also was not unusual. HIPAA breaches originate with employees more than most company executives think, Brown says. “Most companies think of data security as building tall walls to keep the hackers out,” he says. “That overlooks a critical factor, which is the insider’s improper use of permissions. That is just as much a threat as the outsiders.”

Any healthcare provider’s HIPAA security plan should address the threat from insiders with systems that limit an employee’s access to data, Brown says. The computer system should include “firebreaks” that make it difficult for insiders to easily traverse between different databases and have access to more data than necessary for their job duties, he says.

Other internal security features include cameras trained on computer workstations and lockouts that prevent the use of jump drives or copying to a disc. Insiders can be exceedingly difficult to stop, however. Brown recalls one case in which an employee was thwarted by security cameras and a system that would not allow him to copy the computer code he wanted to steal. His solution was to simply print the code on paper, stuff it in his backpack, and walk out.

“The Blue Cross Blue Shield case is similar. They may have all the bells and whistles for high tech control, but these guys just took screen shots,” Brown says. Detecting a breach afterward sometimes depends on having good logs of activity, which Brown says might have helped BCBSM and law enforcement identify the accused employee. (See the story in this issue for more on the importance of good logs.)

Healthcare providers are paying more attention to cyber security in the wake of recent cases such as the Anthem breach, which involved the protected health information (PHI) of more than 80 million people, but Brown says the threat from cybercrime can never be eliminated completely. More so than in any other industry, Brown says, healthcare providers must assume that hackers and thieves are constantly looking for a way in.

“Healthcare data is particularly useful to bad guys, because not only does it contain health information; it contains names, addresses, phone numbers, and Social Security numbers,” Brown says. “It can be used to steal identities, open fraudulent credit lines, all the things the hacker is hoping for when he gets into any business’s data. Getting into a healthcare system’s data pretty much guarantees they’re going to be able to sell this data for top dollar and make a nice profit.”

Insider threats on the rise

McQuade stated in her announcement that while technology has made it easier than ever for criminals to commit identify fraud, technology is also making it easier for law enforcement to catch them. An individual’s personal information has significant value on the black market, which is why the threat of data breaches and identity theft remain at an all-time high, she said.

BCBSM also investigated the breach internally, and Gregory W. Anderson, vice president for corporate and financial investigations at BCBSM, praised the law enforcement effort. “Our company is determined to thoroughly investigate alleged fraud and work hands-on with law enforcement to bring perpetrators of fraud and identity theft to justice,” Anderson said. “We salute the task force for these arrests and for their diligent efforts to help Blue Cross protect our members’ personal information and privacy.”

Affected policy holders will be notified by letter and offered two years of free credit protection services, the company reports.

The BCBSM identity theft ring is yet another example of how insider threats are on the rise, says Eric Chiu, founder and president at HyTrust, a cloud control company in Mountain View, CA. “Employees and their credentials are the number one way companies are being breached today, with many high profile examples over the past 18 months including Target, eBay, Home Depot, Sony, Anthem, and Edward Snowden,” Chiu says. “Identity theft and credit fraud are a big business for these new cyber criminals, and data is the new currency. Companies need to place security as their number one priority, especially around insider threats. Otherwise, they will become the next target.”

Brown agrees that healthcare organizations must be proactive in ensuring HIPAA compliance, and not only because hackers are unrelenting in their efforts. The plaintiffs’ bar also is realizing that there is money to be made in civil suits following a breach, particularly with class action suits, Brown says.

Civil suits related to HIPAA breaches have gained little traction because in most cases plaintiffs had no damages, only the threat of future damages from a stolen identity. Plaintiffs’ attorneys eventually will find ways around that issue, Brown says. Attorneys are pursuing different legal avenues, and there is no shortage of plaintiffs, especially now that the public is becoming better educated and aware of this threat, Brown says.

Any increase in liability risk will be accompanied by increasing efforts from hackers, Brown says. The threat is constant, he warns.

“Just because you haven’t been hacked yet doesn’t mean you can’t be hacked, and it doesn’t even mean you really haven’t been hacked. Maybe you have, and you just don’t know it yet,” Brown says. “Data security is an arms race, and the hackers are sharing information about every weakness they find. Healthcare providers have to remain vigilant and not be lulled into complacency by the thought that they haven’t had an incident yet.”


Thomas G.A. Brown, FTI Consulting, Washington, DC. Email: thomas.brown@fticonsulting.com.

• Eric Chiu, President, HyTrust, Mountain View, CA. Telephone: (408) 776-1400.