Healthcare organizations contain a wealth of personal information, making them them the number one target for cyber breaches, according to a Houston-based attorney who specializes in healthcare privacy.
Lynn Sessions, a partner in BakerHostetler’s Houston office, has been working with healthcare providers for 23 years. In this edited interview with Insurance Journal, Sessions discusses the impact of cyber breaches in the sector.
IJ: Why is the healthcare field such a big target?
Sessions: Health care organizations have a gold mine of information. … They have names. They have social security numbers. They have health information. They have health insurance ID numbers. All of this can be monetized. We hear that Social Security numbers and credit card numbers are actually 50 cents on the black market. If you can get health insurance ID numbers, if you can get health information about those individuals, then fraudulent insurance claims can be made. That can be monetized to a much, much higher value.
IJ: Assuming these people are not just bored teenagers, who is conducting these breaches?
Sessions: We do have some teenagers that are hacking in just for the fun of it. We have teenagers who are being compensated by organized crime and others … located here within the United States. That’s actually not the most common.
What we also see is organized crime here in the United States hiring people or paying people who are already working in healthcare organizations … to bring this information outside the organization. Whether it’s in an electronic format or if it’s in a paper format, they get names and Social Security numbers, health insurance IDs and health information that they can then use on a volume basis. Some of that’s organized crime internally.
We also see … that the Chinese government is interested in American health information. … We don’t really know why. We hear from the FBI that they may be creating a dossier on a variety of different Americans to be used at a later date. …
We also hear that they’re using it for a little more altruistic reasons, which is, “Look at what’s happening in the United States … how they are doing things like treating diseases, curing diseases,” and then essentially stealing the intellectual property. …
Similarly, the Russian mob will also attack. They’re looking for things that are easily monetizable. They’re looking primarily for Social Security numbers with names that they can open up fraudulent credit cards, that they can file fraudulent tax returns. That’s where we kind of see the greatest … concentration of these types of attacks.
IJ: What happens when an organization has a breach?
Sessions: First they have to be able to detect the breach. Sometimes that can take a little while. We have seen perpetrators be within a healthcare organization’s network for over six months before they even discover it.
Once they detect it, that’s when the discovery date starts under HIPAA [Health Insurance Portability and Accountability Act]. The healthcare organization has no greater than 60 days in which they need to investigate, prepare notification letters, and send out notification letters under HIPAA.