11 Arrested in Insider ID Theft SchemeFormer Blue Cross Blue Shield of Michigan Employee Charged
A former customer service representative at Blue Cross Blue Shield of Michigan is among 11 individuals recently arrested in connection with an alleged identity theft scheme that affected more than 5,500 health plan members and resulted in hundreds of thousands of dollars in credit fraud.
Privacy and security experts say the incident is a reminder to health insurers and other healthcare covered entities that insider threats are still a major concern; they can't just focus on thwarting high-profile hacker attacks, such as Anthem Inc.'s breach that affected 78.8 million individuals.
"Healthcare organizations must continue to be vigilant about insider threats," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "While the Anthem breach rightly turns organization's focus to outside hacker attacks, insider threats remain a very large issue."
According to an indictment document filed by federal prosecutors on Feb. 19 but unsealed on March 10, prosecutors allege that beginning about January 2012, and continuing through about December 2014, BCBSM employee Angela Patton had an agreement with accomplices "whereby she received payments in exchange for obtaining and disclosing individually identifiable health information of patients covered by health plans administered by BCBSM for purposes not authorized by HIPAA." Screenshots of the fraudulently obtained PII were printed out by Patton to be sold to the co-conspirators for use in identity theft and credit fraud, prosecutors say.
During investigations and the execution of search warrants, police in several states discovered the stolen BCBSM subscriber information in hotels, homes and vehicles of the various defendants. Some of the stolen information, including names, addresses and Social Security numbers of BCBSM members, was used to create counterfeit credit cards and open fraudulent lines of credit in the victims' names at a number of retail chains, including Lowe's, Cabela and Sam's Club, according to the indictment.
Hundreds of thousands of dollars' worth of merchandise was fraudulently purchased as part of the schemes, including more than $742,000 spent at Sam's Club, prosecutors allege.
The indictment says Patton "had access to the [company's] computer system and databases and had received training in and became familiar with her obligations of confidentiality under the HIPAA regulations." It notes that Patton was authorized by BCBSM "to access individually identifiable health information of patients who received health coverage from health plans administered by BCBSM, for only such purposes as permitted by the HIPAA regulations."
Patton was indicted on several charges, including wrongful disclosure of health information, conspiracy to commit wire fraud and identity theft. The other defendants were charged with a variety of crimes, including identity theft, conspiracy to commit wire fraud and production, use or trafficking in counterfeit access devices.
In a statement, BCBSM says it has begun notifying affected individuals by mail and has worked with federal law enforcement on the investigation.
"I am personally saddened by this former employee's involvement," Daniel Loepp, president and CEO of BCBSM, said in the statement. "The alleged behavior in no way represents the ethical standards brought to work every day by our more than 7,000 employees, who are committed to serving our members with integrity and honesty."
BCBSM is offering affected members two years of free credit protection services. The company is also recommending that members carefully monitor their "explanation of benefits" statements and financial accounts for services they did not receive or any inappropriate or suspicious healthcare claims.
"We have taken a number of deliberate steps to further secure our members' information from disclosure, including limiting access to members' Social Security numbers, requiring all employees to change their passwords, and installing new printing devices that require employees to scan their coded badges to print," says, Kevin Klobucar, CEO for Blue Care Network of Michigan, in the BCBSM statement.
BCBSM did not respond to Information Security Media Group's request for further comment.
Preventing Insider Breaches
Security and privacy experts say organizations should consider taking a number of steps to prevent breaches involving insiders, including some of the measures that BCBSM says it's taking to bolster security in the wake of the breach.
"Organization's should consider to what extent they can limit internal access to Social Security numbers and other high risk data, conduct thorough background checks, consider to what extent they can identify patterns of potentially inappropriate access by employees and contractors, and consider whether data loss prevention technology can reduce the risk further," Greene says. "But even with the best safeguards, the threat of an insider abusing access can be reduced but never eliminated." As a result, he says, "organizations should consider whether they are sufficiently insured with respect to the remaining risk from insider threats."
In a recent interview, Mark Combs, assistant CIO at West Virginia United Health System, said mitigating insider threats requires a multi-step approach that includes records-access monitoring and role-based access management.