Dell SecureWorks Uncovers Underground Health Insurance Data Markets


A researcher at Dell SecureWorks has uncovered informal underground markets for stolen healthcare data including health insurance credentials, Social Security numbers, bank account information and other personally identifiable information about victims.

The market for the stolen healthcare data is thriving, according to Don Jackson, senior security researcher with the SecureWorks' Counter Threat Unit (CTU) research team. Jackson, who has a background in the health insurance industry, said prices for health insurance credentials have increased significantly over the years.

"These things are generally sold or brokered via an online chat and references to verify an individual's reputation are done through an online forum," Jackson told CRN.

[Related: Top Healthcare Breaches And The Rising Costs To Organizations]

Stolen healthcare information and counterfeit documents are used by illegal immigrants, criminals and foreigners seeking specialized medical care in the U.S. The stolen data lasts a long time, and if the fraudster is careful, much of the activity escapes detection or is written off by healthcare providers, Jackson said.

The Health Insurance Portability and Accountability Act (HIPAA) has forced hospitals, medical clinics and other healthcare facilities to bolster the security of personally identifiable information, but insider threats and third-party breaches can be common sources of data leakage, Jackson said. Malware is also used to steal the data necessary to conduct healthcare fraud. Trojan attack campaigns steal a wide range of data from bank account credentials to credit card information. They also often steal healthcare data, which can be stored and packaged for bulk sale.

"The healthcare industry uses fraud detection algorithms to detect some types of activity, but fraud detection is usually something that is very hard to identify and often something first detected by the victim," Jackson said.

HIPAA fines associated with healthcare data breaches are increasing, but despite the increased enforcement of the measures, healthcare fraud continues to be a problem, Jackson said. Healthcare firms also frequently write off the fraud because it often falls below the threshold required to make it worthwhile to investigate and prosecute the illegal activity. Fraudsters typically use a valid driver's license, valid health insurance information and a valid credit card to make co-payments when they visit a healthcare provider using a stolen identity, Jackson said.

Criminals involved in creating counterfeit identities for individuals can purchase "fullz," which provides them with all the stolen data on a person to then be used to create counterfeit physical documents. They are sold at about $500 each, according to Jackson's findings. To be valuable, the stolen healthcare data has to have valid plan information. Additional services supported by a plan, such as dental and vision coverage, are charged an additional $20, Jackson said.

"Kitz," which sell between $1,200 and $1,300 each, includes the physical documents such as credit cards, Social Security cards, driver's license and insurance cards. The information is typically purchased in bulk and then sold for a marked up street price, Jackson said.

Jackson used standard online forums to connect with individuals who sell stolen data. The forums are used for a variety of illegal activities from cracking passwords to buying credit card data in bulk. Only a few sources exist to buy the supporting data necessary for healthcare fraud. Jackson said purchased two separate lots of healthcare information on 100 individuals from an individual located in the United States. He verified the information was valid.

Jackson found other forms of stolen data for sale as well. U.S. credit cards were sold for $1 to $2 each. Non-U.S. credit cards sold as high as $10 each. PayPal accounts with a verified balance, online bank accounts, gaming accounts and Skype accounts also held value on the underground market.

PUBLISHED JULY 15, 2013