Watch out for ‘spear phishing’
• by Alexandria Wilson Pecci
HealthLeaders Media February 26, 2017
When a U.S. Attorney called South Florida “an epicenter of identity theft” last month, it was in the context of announcing federal charges against more than 100 suspected fraudsters.
One of them was a former Jackson Health System employee accused of accessing the health system’s computer databases to steal patient data. The rogue employee, a former secretary, was accused of pilfering the Social Security numbers of more than 24,000 people over the course of five years. She was placed on administrative leave in 2016.
But the Miami-based safety net health system is certainly not alone in experiencing data breaches. According to a report from the Identity Theft Resource Center, the healthcare/medical industry experienced 377 reported data breach incidents in 2016, behind only the business sector in the number of incidents.
The healthcare industry represented 34.5% of the overall total number of breaches among the five industries tracked in the report.
The total number of breaches among the five industries included in the report is now at an all-time high. But ITRC experts said in a statement that it’s hard to tell whether there are actually more breaches each year or simply more reporting of breaches. In total, there were 1,093 reported data breaches in 2016. In 2015 there were 780 — a 40% increase.
More than a decade of ITRC data shows that there were significantly more healthcare data breaches in 2016 than there were in 2005, when the data showed only 16. That number has grown steadily in the years since.
Laws are “always behind,” with the latest techniques used to steal data, said Karen A. Barney, director of research and publications at the Identity Theft Resource Center. “In general, privacy laws typically seem to not necessarily keep pace.”
But some industries are better than others at deterring theft. The banking and financial sectors are better than the medical industry, Barney noted.
The proof is in the numbers. In 2005, the banking/credit/financial industry had more data breaches than the medical/health industry. But by 2016, it had 52 breaches, compared to the health industry’s 377, and accounted for just 4.8% of total breaches.
“There’s a great need for corporate protocols and best practices to be in place,” Barney said.
There have also been changes in how the breaches are occurring. Among the five industries in 2016, hacking/skimming/phishing accounted for 55.5% of total data breaches, compared to 14.1% in 2007.
Hacking, Physical Theft Dominate Healthcare Breaches
Broken down by industry, hacking was the most common data breach source for the healthcare sector, according to data provided to HealthLeaders Media by the Identity Theft Resource Center. Physical theft was the biggest breach category for healthcare in 2015 and 2014.
Insider theft and employee error/negligence tied for the second most common data breach sources in 2016 in the health industry. In addition, insider theft was a bigger problem in the healthcare sector than in other industries, and has been for the past five years.
Insider theft is alleged to have been at play in the Jackson Health System incident. Former employee Evelina Sophia Reid was charged in a fourteen-count indictment with conspiracy to commit access device fraud, possessing fifteen or more unauthorized access devices, aggravated identity theft, and computer fraud, the Department of Justice said. Prosecutors say that her co-conspirators used the stolen information to file fraudulent tax returns in the patients’ names.
What’s the next data breach tactic for the healthcare industry to be aware of? According to Barney, it’s “spear phishing,” a scheme involving email that purports to be from company executives and requests personal information on employees.
The IRS noted a “400% surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community” in a March 2016 warning to payroll and human resource professionals, she said.
“They pretend to be someone in authority,” Barney said, and trick employees into giving things like Social Security numbers and W2 forms. “It’s providing the thief with anything and everything they need to commit tax fraud.”
This report is brought to you by HealthLeaders Media.
Watch out for ‘spear phishing’