Health Insurance on Notice - Hackers Target Personal Data

As soon as we collectively caught our breath from the huge (80 million records) Anthem Insurance breach, UCLA Health System was hacked exposing 4.5 million people. The mind-numbing issue is that the sensitive data stolen from both organizations was not even encrypted. Insurance companies house toxic PII data (names, Social Security numbers, medical records, ID numbers, and addresses) on their members, which makes them a favorite target of hackers. According to the Identity Theft Institute, in the last 3 years the health care industry has accounted for 42.5% of all data breaches. “Of all data breaches” is not a typo and this situation continues to get more dangerous with each passing day. Health insurance companies will continue to be targeted by cyber thieves and state-sponsored hackers until they get toxic data out of their environment.

Why is PII so Valuable?
Personally Identifiable Information (PII) is so valuable because cyber criminals can create a complete identity with the social security number, first name, last name, address, and other details they can gather. For perspective, your stolen credit card is worth $25 on the black market and has a short life span before being voided. But PII is worth $200 and can’t be cancelled. To add to the frustration, The Ponemon Institute's Fifth Annual Study on Medical Identity Theft reveals: "In many cases, victims struggle to reach resolution following a medical identity theft incident. In our research, only 10% of respondents report achieving a completely satisfactory conclusion of the incident. Consequently many respondents are at risk for further theft or errors in healthcare records that could jeopardize medical treatments and diagnosis.” Bottom line, you are putting your customers at much higher risk—personally, medically, and financially—than once thought.

Is There a Solution?
The biggest problem is that insurance companies keep storing massive amounts of PII in their environments. To throw more gasoline on the fire, most insurance companies don’t even bother to store the sensitive data with the appropriate access controls. That is a recipe for disaster, as we have already witnessed. Enter tokenization as a security solution in your layered security strategy because “hackers can’t steal what’s not there”. Tokenizing sensitive data removes it from your environment completely, while the tokens can still be used for all the valuable “Big Data” you need for business analytics. You can tokenize all types of data sets to guarantee that you will not expose ANY customer data when a breach occurs, with no real change or impact to your business processes.

Do I Still Need Fraud Prevention?
Yes. Tokenization is a layer or proxy in data security that removes the sensitive data, while fraud prevention analyzes security parameters to determine the authenticity of payment transactions. Fraud prevention programs analyze hundreds of relevant variables and millions of transactions across the globe in real-time, yielding accurate fraud protection warnings, instead of just after the fact fraud detection. The TokenEx Open Integration Platform tightly integrates the tokenization processes with third-party fraud prevention processing to ensure performance within payment PCI latency guidelines—thus there is no impact on payment processing speeds. By implementing both platforms, health insurance companies can get back to focusing on taking care of their customers instead of notifying them that all of their PII is for sale on the black market.

TokenEx is a custom tokenization data security platform that removes toxic data from your insurance environment, reducing the cost and effort of PCI compliance to a minimum level. TokenEx is payment processor agnostic and can integrate a variety of support services such as chargeback mitigation and marketing analytics, into your payment stream. Visit for more information. Follow us on Twitter and LinkedIn.

Topic(s): insurance , data security , HIPAA , PCI DSS , PII , tokenization

Keep Up With Our PCI & Privacy Blog