Here's to your health...your health insurance credentials, that is.
Information security service provider Dell SecureWorks has uncovered in a new report that buyers are dropping big bucks for health insurance documents that are being hawked on the internet underground with the goal of using them to commit fraud.
Dell SecureWorks Counter Threat Unit (CTU) senior security researcher Don Jackson has investigated underground market supply and demand for years, and beginning in May, he sought to update how buyers are spending their money in 2013.
Jackson discovered people are laying down top dollar for all-inclusive health insurance dossiers known as “Kitz,” or a little less money for the slimmed down version known as “Fullz.” Both packages contain sensitive health insurance information, including names, addresses, phone numbers, email addresses, Social Security numbers and bank account information, complete with account and routing numbers.
What separates the two, aside from the cost, is that “Kitz” contain physical documents, including driver's licenses, whereas “Fullz” contain only the electronic data.
Jackson learned through investigation that “Kitz” are fetching $1,200 to $1,300, with an added $100 to $500 thrown on top for rush orders and other fees. This is the package to purchase for people wishing to commit medical identity theft because eventually they need to show up in person, Jackson told SCMagazine.com on Tuesday.
“Fullz” typically go for $500, a significant increase from the $100 cost of the early to mid 2000s. “Kitz” prices through the years are harder to compare, Jackson said, because they were previously part of bigger packages designed to sneak illegals into the United States.
Jackson said the underground seller market is saturated with stolen financial information such as credit cards. So much so that sellers are earning as little as $1 per card number. That's why health insurance data has become so coveted, in addition to the high cost to receive certain treatments in the United States.
“Where we see [health insurance credentials] being used is for expensive services and surgeries,” said Jackson, explaining that dialysis and appendectomies, for example, are common procedures to obtain using stolen identities because they are less expensive and do not immediately set off any alarms.
Jackson said victims of this kind of identity theft often do not find out about it until a year or later.
Jackson said there are any number of reasons why people are buying this information, including having no coverage or having a criminal record, and added that hackers have begun targeting smaller healthcare organizations who may have limited data protection technology in place.
Common tools that should be used for to safeguard against attacks targeting health information include firewalls, encryption, log monitoring and vulnerability scanning, Jackson recommended.