Late last week, the Centers for Medicare and Medicaid Services (CMS) disclosed that compromised insider credentials with access to's back-end insurance system exposed 75,000 individuals’ data. 

What is 75,000 records in the face of 50 million accounts compromised on Facebook?  

While the numbers in this breach are small, and the CMS responded quickly -- and with “an abundance of caution” -- the files that were stolen are some of the most valuable on the black market.  While one stolen credit card goes for 25 cents, one healthcare record is worth hundreds or thousands of dollars.  

That’s because a healthcare record is the ultimate cheat sheet for identity theft, medical fraud, financial misdemeanors, tax fraud and insurance fraud. Each healthcare record includes most of the personal, medical and financial information a criminal requires to carry out those activities. And most of the data contained within is core identifiable data that can’t be changed (i.e., social security number or date of birth). 

How did this happen? 

The CMS staff detected anomalous activity in the Direct Enrollment pathway for agents and brokers on Saturday, October 13. The Direct Enrollment pathway allows agents and brokers to help consumers apply for coverage within Federally Facilitated Exchanges (FFE).  

On October 16, the investigating team declared there had been a breach and the agent and broker accounts that were associated with the anomalous activity were deactivated. 

Let me rephrase that, legitimate credentials of agents and brokers who have access to consumer applications in order to assist those same consumers had their accounts compromised. Hackers co-opted their credentials through spearfishing, stolen passwords, or some other means, and thus gained legitimate access to 75,000 individuals’ files. 

While this is alarming, what’s even more alarming is that 51% of all data breaches in healthcare are caused by insider threats. 

How was this detected? 

Insider threats are hard to detect because hackers with co-opted credentials or disgruntled employees use the access they have been given to steal data or wreak havoc. While we don’t know all the details of the breach, we do know that CMS has tools in place that monitored for anomalous activity. Without such a system, this breach may have been much larger and gone on for much longer.   

This is why organizations must model user behavior to identify insider threats. Such systems create a baseline of user behavior that involves mapping the times that a user typically performs activities, the objects that a user interacts with (such as a computer, geographical location or a file), and patterns of events that occur within a specific time frame (like a spike in activity). This mapping creates a baseline for each individual user and then alerts and even stops the unusual activity in its tracks. 

In the case of, they at least had a monitoring solution alerting them to the suspicious events, possibly as part of their federal IT government security solutions. 

What can organizations do to keep healthcare data safe? 

Given the value of the data stolenthe ramifications such ill-gotten data will have on consumers and organizations for years to come, and the wide range of compliance regulations and requirements, its imperative for healthcare organizations to strengthen their cyber defenses and put in data protection safeguards. More strategic investments need to be made in healthcare IT security solutions.

In our whitepaper Protecting Data in the Healthcare Industry, Osterman Research lists in detail the seven best practices that healthcare organizations are starting to implement to help them become far more resilient to cyber attacks so they can prevent data breaches. It also covers: 

  • The various regulations and requirements that healthcare firms must comply with 
  • The realities and trends that are increasing the risk for healthcare organizations  
  • How data breaches impact healthcare organizations 
Related Content