A data breach at health insurance provider Excellus BlueCross BlueShield has exposed 10 million patient records. According to Wired, “Excellus has revealed that in August of this year it discovered a nearly 2-year old intrusion campaign in its network that gave hackers access to potentially all its customers’ records.” The breach follows several similar attacks this past year, including an attack against CareFirst insurance affecting 1.1 million customers and another attack against Anthem insurance wherein cyber criminals accessed 80 million health records.

The medical industry has become a prominent target for cyber criminals because of the large volumes of valuable data that can be extracted in a single breach, including birth dates and Social Security numbers which may be repurposed for identity theft. Additionally, the industry’s reliance on outdated computer systems makes it more vulnerable than other industries such as banking. 

There is also a lack of oversight for insurance fraud as opposed to the many safety provisions in place to prevent banking or credit fraud. Criminals committing insurance fraud can remain undetected for significantly longer periods of time than those who attempt to use fraudulent credit information. According to Reuters, “Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number.” A study from the Ponemon Institute, a research center dedicated to data protection, found that “victims of medical identity theft can suffer significant financial consequences. Sixty-five percent of medical identity theft victims in our study had to pay an average of $13,500 to resolve the crime.” 

Patients can protect themselves by safeguarding their credentials, monitoring their healthcare records and regularly reviewing insurance statements for potential signs of fraudulent activity. According to the Reuters story, “one patient learned that his records at a major hospital chain were compromised after he started receiving bills related to a heart procedure he had not undergone. The man's credentials were also used to buy a mobility scooter and several pieces of medical equipment, racking up tens of thousands of dollars in total fraud.”