In the largest-ever security breach of a heath insurance company, Anthem (WLP) revealed on Thursday that the personal data of 80 million customers may have been exposed to hackers.
It’s likely that hackers will continue to target health care companies. For one thing, health data is a richer source of personal information than credit card data. Among the bounty: social security numbers, e-mail addresses, birthdays, street addresses, policy numbers, diagnosis codes, billing information, and the names of family members—the sort of information used in security questions for online accounts.
Malicious hackers can use that information for what’s sometimes called a “soft hack,” or unauthorized entry without the use of sophisticated software. Identity thieves can gain access to a person’s account by guessing the right answers to security questions and resetting a password. With the right combination of family and personal information, a thief can also use fake identities to score drugs from pharmacies. This is a major reason why stolen health credentials are worth 10 times more than credit cards on the black market, according to Reuters.
Secondly, health care companies haven’t focused on security as much as other industries have, and have been known to rely on outdated software. “Healthcare organizations have invested less in IT, including security technologies and services than other industries,” says Lynne Dunbrack, a vice president at market research firm IDC.
That’s true for insurers in part because they aren’t incentivized to make security a priority. Their end customers often have little choice as to which provider they use, since that choice is typically made by employers. Insurers are not likely to lose as much business over a data breach as, say, a retailer. For example, it is much easier for a shopper to choose Walmart (WMT) over Target (TGT) after the latter suffered a massive security breach last year.
In general, companies that administer their data in servers located on-premise are often less secure than companies that rely on major cloud computing vendors, according to Kevin Spain, a general partner at Emergence Capital. “The most vulnerable systems tend not to be cloud-based because security is what they do,” he says. A hack like this may not ruin a health insurance company like Anthem, but it could destroy a cloud software company like Salesforce, Spain says: “That’s why there’s a different level of priority.”