Anthem hack highlights desirability of stolen health records
Anthem, the nation's second largest health insurer, has warned up to 80 million Americans that their health care records could now be in the hands of criminal hackers.
It's potentially the largest ever cyber attack on the health care sector.
The company sent out an email Thursday notifying its customers of a "very sophisticated external cyber attack" which compromised the names, birth dates, social security numbers, addresses and emails of patients and employees.
Anthem was one of thousands of health care companies warned twice last year by the FBI that their industry was particularly vulnerable to hackers.
In 2014 there were 42 cyber attacks targeting health providers, compared to just five in 2010. The FBI cited the industry's "lax cyber security standards" and said they were being targeted for a list of reasons.
"One was kind of the shifting of records from paper to digital format, which creates the opportunity now for cyber criminals to obtain and go after these records," said Jim Trainor , who's second in command at the FBI's cyber security division.
The FBI also warned that on the black market, criminals will now pay much more for personal health information, called PHI.
"Credit cards can be say five dollars or more where PHI records can go from 20 say up to -- we've even seen $60 or $70," Trainor said.
The data is so valuable because it can be used to build a strong fake identity or even sold to criminals for insurance and billing scams.
"If you lose your credit card, we all know you call '1-800 I lost my card' and they turn your card off," said Dr. Robert Wah, president of the American Medical Association and chief medical officer at CSC, a health care technology company. "There is no '1-800 I lost my health record' and you can't turn off all that rich information that's in your health record."
A 2014 survey of health care technology professionals found half spent three percent or less of their technology budgets on cyber security. Experts tell CBS News the standard is 10 percent.
Tom Turner's company Bitsight Technologies rates companies on cyber security and said he "absolutely" worries about the security of his own health care records.
"Healthcare is absolutely performing at the bottom of the other industries," Turner said. "If you'd like a letter grade for that, maybe a C or D."
Sources told CBS News that this was an advanced attack using custom malware, and that the FBI is looking into the possibility that the attack was from overseas, possibly China.