Healthcare organizations contain a wealth of personal information, making them them the number one ta
rget for cyber breaches, according to a Houston-based attorney who specializes in healthcare privacy.
Lynn Sessions, a partner in BakerHostetler’s Houston office, has been working with healthcare providers for 2
3 years. In this edited interview with Insurance Journal, Sessions discusses the impact of cyber breaches in the sector.
IJ: Why is the healthcare field such a big target?
Sessions: Health care organizations have a gold mine of information. … They have names. They have social secu
rity numbers. They have health information. They have health insurance ID numbers. All of this can be monetized. We h
ear that Social Security numbers and credit card numbers are actually 50 cents on the black market. If you can get health insurance ID numbers, if you can g
et health information about those individuals, then fraudulent insurance claims can be made. That can be monetized to a much, much higher value.
All of this can be monetized
IJ: Assuming these people are not just bored teenagers, who is conducting these breaches?
Sessions: We do have some teenagers that are hacking in just for the fun of it. We have teenagers who are
being compensated by organized crime and others … located here within the United States. That’s actually not the most common.
Watch More Image Part 2 >>>
What we also see is organized crime here in the United States hiring people or paying people who are already working in healthcare organizations … to bring this inf
ormation outside the organization. Whether it’s in an electronic forma
t or if it’s in a paper format, they get names and Social Security numbers, health insurance IDs and health information t
hat they can then use on a volume basis. Some of that’s organized crime internally.
We also see … that the Chinese government is interested in American health information. … We don’t really k
now why. We hear from the FBI that they may be creating a dossier on a variety of different Americans to be used at a later date. …
We also hear that they’re using it for a little more altruistic reasons, which is, “Look at what’s happening in th
e United States … how they are doing things like treating diseases, curing diseases,” and then essentially stealing the intellectual property. …
Similarly, the Russian mob will also attack. They’re looking for things that are easily monetizable. They’r
e looking primarily for Social Security numbers with names that they can open up fraudulent credit cards, that they
can file fraudulent tax returns. That’s where we kind of see the greatest … concentration of these types of attacks.
IJ: What happens when an organization has a breach?
Sessions: First they have to be able to detect the breach. Sometimes that can take a little while. We have seen perpe
trators be within a healthcare organization’s network for over six months before they even discover it.
Once they detect it, that’s when the discovery date starts under HIPAA [Health Insurance Portability and Accountability Act]. The healthcare organization has n
o greater than 60 days in which they need to investigate, prepare notification letters, and send out notification letters under HIPAA.