The hackers who stole personal data from health insurer Anthem stand to make a whole lot more than the ones who stole 56 million credit and debit card numbers from Home Depot because the potential payback per identity is so much greater.
"Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x in price on the black market," says Martin Walter, senior director at RedSeal.
That could be a conservative estimate, according to a report by PwC called "Managing cyber risk in an interconnected world: Key findings from The Global State of Information Security® Survey 2015."
"A complete identity-theft kit containing comprehensive health insurance credentials can be worth hundreds of dollars or even $1,000 each on the black market, and health insurance credentials alone can fetch $20 each; stolen payment cards, by comparison, typically are sold for $1 each," the report says.
The price differential is due to the ability to use identity information birth dates, Social Security numbers, addresses, employment information, income, etc. to open new credit accounts on an ongoing basis rather than exploiting just one account until it's canceled.
But that's not all. "The information attackers were able to access from Anthem are key pieces of data that can be used to access someone's financial records," says Eric Chiu, president & co-founder of Hytrust, making it possible to find and drain individuals' personal cash reserves.
It's not known exactly how many Anthem customers' data was stolen, but the company has 37.5 million subscribers plus another 68 million served by its affiliates.
Water says this type of massive theft from a health provider should have been expected. "It was only a matter of time until hackers found out that it's much easier to go after Social Security numbers and personally identifiable information with healthcare providers, which in comparison spend significantly less on security, making them tentatively easier targets."
While health organizations do spend less on security in general than some other markets such as finance, they are making strides, according to PwC; their security spending in 2014 was up 66% last year over 2013.
Last year, healthcare providers and payers reported a 60% increase in detected incidents resulting in financial losses jumping 282% over 2013. The possible explanation: attackers are targeting healthcare entities for their patient health data.
While health industry providers are boosting security spending, they may not be doing so in order to protect existing customer data, PwC says. Rather it may be to secure the blossoming number of new health-monitoring devices that help comprise the Internet of Things. "Consider that almost half (47%) of healthcare provider and payer respondents say they have integrated consumer technologies such as wearable health-monitoring devices or operational technologies like automated pharmacy-dispensing systems with their IT ecosystem," according to the PwC report.
Sign up for Computerworld eNewsletters.