In a massive breach of data, hackers targeted Healthcare.gov applications and made off with data associated with thousands of people, by breaking into the accounts of brokers and agents helping people get on the portal.
The news comes from a post on The Centers for Medicare and Medicaid Services (CMS) website. As per a post on the platform, hackers obtained “inappropriate access” to several broker and agent accounts, and then went on to engage in excessive searching of the government’s healthcare marketplace systems. While CMS has already closed sown the afflicted accounts, the data which is gone, is gone.
CMS has also issued a letter to the affected customers, in which it has disclosed what data may have actually been stolen. According to the letter, hackers may have received access to:
- Name, date of birth, address, sex, and the last four digits of the Social Security number (SSN).
- Expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, health insurance status.
- Information provided by other federal agencies and data sources to confirm the information provided on the application.
- The results of the application, whether the applicant was eligible to enroll in a qualified health plan (QHP), and if eligible, the tax credit amount; and
- If the applicant enrolled, the name of the insurance plan, the premium, and dates of coverage.
So yes, there would be multiple parties interested in buying data of the sort, and in the wrong hands, it can do plenty of damage too.
Speaking on the topic, Andrew Blaich, head of Device Intelligence at Lookout said:
Breaches that include personally identifiable information are always dangerous because they can lead to identity theft. Not only can the attacker steal the identity of anyone in the breach, but they can also use this information to appear credible when crafting mobile spear-phishing messages against their targets.
This is especially true if the data that was leaked is accurate, as health information, family relationships and insurance information can make it extremely easy for an attacker to steal the identity of anyone affected by the breach.
Over 11.8 million people have signed up for the healthcare marketplace service, which aims to bring insurance coverage to everyone. While CMS says that information form 75,000 accounts was stolen, the numbers could well go up. Meanwhile, this is yet another example of governments bowing down and giving up before hackers.