Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm Krebs on Security
pHow much are your medical records worth in the cybercrime underground This week KrebsOnSecurity discovered medical records being sold in bulk for as little as 640 apiece The digital documents several of which were obtained by sources working with this publication were apparently stolen from a Texasbased life insurance company that now says it is working with federal authorities on an investigation into a possible data breachppThe Fraud Related section of the Evolution MarketppPurloined medical records are among the many illicit goods for sale on the Evolution Market a black market bazaar that traffics mostly in narcotics and fraudrelated goods including plenty of stolen financial data Evolution cannot be reached from the regular Internet Rather visitors can only browse the site using Tor software that helps users disguise their identity by bouncing their traffic between different servers and by encrypting that traffic at every hop along the wayppLast week a reader alerted this author to a merchant on Evolution Market nicknamed ImperialRussia who was advertising medical records for sale ImperialRussia was hawking his goods as fullz street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a persons nameppEach document for sale by this seller includes the wouldbe identity theft victims name their medical history address phone and driver license number Social Security number date of birth bank name routing number and checkingsavings account number Customers can purchase the records using the digital currency BitcoinppA set of five fullz retails for 40 8 per record Buy 20 fullz and the price drops to 7 per record Purchase 50 or more fullz and the per record cost falls to just 640 roughly the price of a value meal at a fast food restaurant Incidentally even at 8 per record thats cheaper than the price most stolen credit cards fetch on the underground marketsppImperial Russias ad pimping medical and financial records stolen from a Texas life insurance firmppLive and Exclusive database of US FULLZ from an insurance company particularly from NorthWestern region of US ImperialRussias ad on Evolution enthuses The pitch continuesppMost of the fullz come with EXTRA FREEBIES inside as additional policyholders All of the information is accurate and confirmed Clients are from an insurance company database with GOOD to EXCELLENT credit score I myself was able to apply for credit cards valued from 2000 10000 with my fullz Info can be used to apply for loans credit cards lines of credit bank withdrawal assume identity account takeoverppSure enough the source who alerted me to this listing had obtained numerous fullz from this seller All of them contained the personal and financial information on people in the Northwest United States mostly in Washington state whod applied for life insurance through American Income Life an insurance firm based in Waco TexasppppAmerican Income Life referred all calls to the companys parent firm Torchmark Corp an insurance holding company in McKinney Texas This publication shared with Torchmark the records obtained from Imperial Russia In response Michael Majors vice president of investor relations at Torchmark said that the FBI and Secret Service were assisting the company in an ongoing investigation and that Torchmark expected to begin the process of notifying affected consumers this weekppWere aware of the matter and weve been working with law enforcement on an ongoing investigation Majors said after reviewing the documents shared by KrebsOnSecurity It looks like were working on the same matter that youre inquiring aboutppMajors declined to answer additional questions such as whether Torchmark has uncovered the source of the data breach and stopped the leakage of customer records or when the company believes the breach began Interestingly ImperialRussias first post offering this data is dated more than three months ago on June 15 2014 Likewise the insurance application documents shared with Torchmark by this publication also were dated mid2014ppThe financial information in the stolen life insurance applications includes the checking andor savings account information of the applicant and is collected so that American Income can preauthorize payments and automatic monthly debits in the event the policy is approved In a fourpage discussion thread on Imperial Russians sales page at Evolution buyers of this stolen data took turns discussing the quality of the information and its various uses such as how one can use automated phone systems to verify the available balance of an applicants bank accountppJessica Johnson a Washington state resident whose records were among those sold by ImperialRussia said in a phone interview that she received a call from a credit bureau this week after identity thieves tried to open two new lines of credit in her nameppIts been a nightmare she said Yesterday I had all these phone calls from the credit bureau because someone tried to open two new credit cards in my name And the only reason they called me was because I already had a credit card with that company and the company thought it was weird I guessppImperialRussia discusses his wares with potential and previous buyersppMore than 18 million people were victims of medical ID theft in 2013 according to a report from the Ponemon Institute an independent research group I suspect that many of these folks had their medical records stolen and used to open new lines of credit in their names or to conduct tax refund fraud with the Internal Revenue Service IRSppPlacing a fraud alert or freeze on your credit file is a great way to block identity thieves from hijacking your good name For pointers on how to do that as well as other tips on how to avoid becoming a victim of ID theft check out this storypp
This entry was posted on Thursday 18th of September 2014 1040 AM
ppSadly if you use a local agent your data is only as secure as the local insurance agents office computer Having worked on a few I can tell that your information is not safe at all You are better off applying on the main companies website than trusting your PII to a local guy with a laptopppThese agents think nothing of asking you to email your SSN to themppYou refer to medical ID theft which wouldnt apply here To me medical ID theft is stealing medical insurance information not life insurance information so that a duplicate medical identification card can be made and the scammer can then receive medical treatment under the victims health insurance policy Depending on the insurance policy the victim may not notice the fraud for some time This is completely different than opening a credit account in the victims name which is good old identity theftppWell Im far from an expert in medical ID theft to be sure but there seems to me enough information in each of these documents to be able to counterfeit a health insurance card if thats all it takesppI suspect medical information is most useful to Medicare scammers who submit fraudulent billings for services that werent deliveredppTo prepare a duplicate medical insurance card you need the name of the carrier the group number and the individuals account number which hopefully is no longer the Social Security Number If that medical information is in the life insurance data then yes medical insurance cards can be createdppNote that the security on a medical insurance card compared to a credit card is nonexistent However you typically need identification with the medical card so a drivers license or something similar would also need to be producedppThe duplicate you is used to dupe others and ply the Medicaid fraud trade If caught the real you will need a lawyer to prove you are the real you and didnt do the crime In war the onus of guilt is reversed You need to prove you are innocent They dont need to prove you are guilty People doing time promotes overtime for corrections workers who happen to be sitting on bad mortgages and other debt you can help pay off sitting in the cooler This is the US suicide economy Youll be in jail and out shopping at Home Depot at the same timeppCorporations are neither physical nor metaphysical phenomena They are socioeconomic ploys legally enacted gameplaying agreed upon only between overwhelmingly powerful socioeconomic individuals and by them imposed upon human society and its all unwitting members Gruch of GiantsppIn Canada the SIN roughly equivalent to the US SSN is the verification key for most financial records ppIf you can guess figure out someones employer you can often guess their insurer retirement provider and with the information Brian described itd be trivial to get them to tell you the account numbers ppId expect the same behavior in the USppAre there any laws on the books that protect consumers or fine companies that fail to protect their customers vital informationppWhat does it matter The law only applies if the company gets caught violating it which usually only happens after a breach after the damage to the consumer has been done And fines in no way benefit the consumer they just put more money in the governments pocketppIf punative fines were large enough it could act as a deterrentppId disagree Look at Target any forthcoming fines aside they knew a data breach would be a PR nightmare and a loss of sales yet they ignored their security system and let it happen I dont see the threat of larger fines as a deterrentppThe problem with government fines is they were written for much smaller entities With todays massive corporations the fines either need to be increased or tied to the size of the company When youre a massive corporation you get a massive fine when youre a small business you get a smaller fine The problem is that the massive businesses get small business sized fines and theyre laughed off as a cost of doing businessppWhat regulations should do is also allow customers affected to sue the company for damages So not only do they get a massive fine they also get lawsuits coming at them left and right from all the individuals whose lives they ruinedppHIPAA is rather strong and includes penalties which include jail time The largest HIPAA settlement was in May with New YorkPresbyterian Hospital and Columbia University The settlement amount totaled 48 million As far as I can tell no one has gone to jail for a widespread leakppNew YorkPresbyterian Hospital is one of the largest and most comprehensive hospitals in the United States Columbia University has an 8B endowment A 48M fine is pocket change to these companies and is probably covered by their insurance policies anyway at an annual cost to them of maybe 100kppIMHO companies should learn to only register data they really needppCompanies trade and sell our personal information all the time so they lean toward gathering as much of it as possible whether they need it or notppRonm you are right why would the applicants of American Income Life give their bank account numbers BEFORE knowing if the company had even approved giving them life insurance I would never provide that kind of personal financial information BEFORE completing the transaction which in this case was applying to receive approval Once the life insurance company said Yes well insure you THEN you make arrangements to pay But just handing over your bank account info without a reason Just dumbppIf I am reading that correctly if a persons medical records are being stolen then thats a violation of the HIPAA laws against the insurance companyppI was under the impression that HIPPA was like PCI it is the minimum bar for compliance but no substitute for real security The difference is that one is legally mandated and the other is mandated by industryppSo HIPAA requires companies handling personally identifiable medical data to protect it and failure to do so result in fines like 45 million levied against New York and Presbyterian Hospital NYP and Columbia University CU earlier this yearppHIPAA regulations describe some of the basic safeguards to protect information and if any of the people whose records are on sale on the black market refer their case to OCR at HHS the insurance company or other entity that was the source of the leak could be finedppNote that being HIPAA compliant is a somewhat meaningless phrase in terms of level of protection afforded to data The regulations dont cover all eventualities However a reasonableness standard is implied In other words if a company failed to use a security control that was reasonable and that resulted in the data theft they would be liable both to OCR sanction and to a suit for damages by a victimppIt would be interesting to see what rights the applicants waived when they signed the application for insurance People sign all kinds of stuff without reading it and insurance companies including authorization to share informationppMy phone number is one digit off in the more significant digit part from the fax line of a doctors office From time to time I get fax calls to my number On a few occasions I have gotten out my old laptop with a modem and fax software and intercepted those faxes that is how I learned what the situation was Once my phone started ringing at 3 AM In a panic is there ever a good call at 3 AM I answered only to hear fax tones Youre damn sure I intercepted that one It was from an area hospital informing the doctor one of his patients had died Not exactly emergency communications I sent a scathing email to the hospitals privacy officer Never heard back but I can only hope someone was scheduled for immediate extreme rectal surgeryppApparently you can collect bounties for reporting HIPPA violations to the government I havent intercepted and faxes since I learned that unfortunatelyppIt would be interesting to know if there are auditing services to help ensure the privacy of both financial and medical records It would be good for business if they the medical office and any insurance offices they deal with could produce a statement not only of compliance with applicable law but with pursuit of excellence in computer securityppIIRC Target had a reputation for being quite security conscious but they were hacked anyway through an ingenious methodppThere can be other uses for the medical data depending on how detailed it actually is if there are any clinical codes ICD9 or CPT provided etcppThe HIPAA question would probably be best answered by an attorney As far as I see it if the patient supplied the health data to the life insurance company personally then the company probably is not covered under HIPAA The patient can give their own data to whomever they choose The key is whether the life insurance company is considered a Covered Entity or a Business Associate Business associates would be those that get patient data from the health care provider to do things like billing or marketing etc Since they are not engaged in supplying or supporting patient care I am guessing the life insurance companies are not covered HIPAA attorney input neededppI totally understand the first poster I was just signing up for car insurance with a small local insurer and while I was at the guys office in the local strip mall he was typing my info into his laptop while complaining about strange pop up I almost walked out when I heard it Seriously how secure can his laptop beppWe should have the set of laws in this country that mandates responsibility from whoever wants our personal informationppSo you want Fraud Protection
Yes Frog Protection
You are saying Fraud Protection right
Yep Frog Protection I think were on the same pageppFor those who havent seen it this is an excerpt from a credit card ad currently running on TV in the USppAbout the questionscomments posed by
Anonymous laws on the books that protect consumers or fine
TheOreganoRouteronionit HIPAA
Bob Stromberg auditing services to help ensure the privacy of both financial and medical records
Jean HIPAApphttpwwwailifecomstandarditemsHIPAAPrivacyNoticeaspx
Complaints If you believe we American Life Insurance Company have violated your privacy rights you have the right to complain to us or to the Secretary of the US Department of Health and Human Services You may file a complaint with us at our Contact Office below We will not retaliate against you if you choose to file a complaint with us or with the US Department of Health and Human Servicesppyou have the right to complain to us or to the Secretary of the US Department of Health and Human ServicesppComplain about your own stupidity for giving them your private information via the defective website Ha ha ha ha In a broken system being broke is a virtue This new system is based on VA healthcare with postal management Remember when this sort of thing resulted in company liquidations No more With more victims theyll get a bigger agency budget If not a victim you can apply for associate victim status and get a cardpp
I think its absolutely touchandgo whether were going to make it But the point is for me to tell you that you have an option is not to be optimistic Time and again of course I am running into millions who dont know we have the option because its invisible and I feel I have tremendous responsibility So when people ask me to come and talk to them I do my best to let them know they do have the option Of course theyre pessimistic not knowing that
BuckyppThere is one GLARING problem here Unlike credit bureaus TransUnion Experian Equifax etc that you can contact to dispute incorrect information in your credit file there is no such agency for correcting your health history records If anyone has their medical insurance hijacked theres NO WAY TO REPAIR IT It is currently a permanent record with no rights to change information contained within ppFurthermore EMR Electronic Medical Records will make it nearly impossible to protect your data as I personally see that as the next HVT High Value Target of scammers and fraudsters EMR has made all of your data potentially accessible to the world whereas in the olden days you only needed to worry about the security system in your doctors office in case of burglaryppA 25 cent pen and cheap clipboard have been replaced with a 300 tablet This is a mustread and priceless vs a read em and weep They have managed to make it unaffordable and insecure The iHealth platform is making more dorks with fewer optionsppHowever there is some danger that when the actual proposed rules are written the focus on the Internet will be lost Par for the course now days New rules and written to benefit those who make money writting rules aka bureaucrats If you dont apply for the new plans using the dangerous insecure system youll be fined for not being in compliance Now the focus is on life insurance scams resulting from scams resulting in wrinkles in Obamacare You can keep your death benefits The people who planned this also planned a better Iraq The criminal state is growing along with the debtppLife insurance companies are known to require medical exams for applicants and there is probably more than enough information on these documents to commit gawd knows what kind of fraud I was chilled when I read this as I can see innocent people experiencing what Anndorie Sachs went through See 7 on httpwwwcrackedcomarticle19973the8creepiestcasesidentitytheftalltimehtmlppFor whatever financial issues one might be caused by economic types of fraud they are far outshined in the risks to the victims when it comes to medical fraudppGood article and great coverage here I have been saying for 3 years we have a big problem with the very profitable data selling epidemic in the US both legal and illegal We do wonder if some of the actual legal data selling borders on illegal too at times with privacyppTheres no doubt that the legal unregulated business being open like the wild west only serves to pump up the illegal activity as if there was no value nobody would mess with it ppYou should also be very aware that as part of their business that life insurance company is also busy buying and selling data on their policy holders too so they have knowledge of how it all works for profit As an example United Healthcare is one of the biggest data sellers in the US as 13 of their revenue comes from their technology efforts and not policies and thus some of the business lines they are into kind of sit on an edge of ethics at times as wellppI was absolutely pleased when I heard Tim Cook from Apple speak about privacy too as he used my lingo on my 3 year campaign I have to get Congress to pass a law to license all data sellersdistributors Theres many benefits to that but the most obvious is to easily identify those who have been identified as a licensed data seller versus a black market operation like this one You can read more here if you like at the link below but I have been beating this drum with the FTC Senate and more for 3 years Apple of late I have seen has been reading a few of my privacy blog posts as well pphttpducknetwebblogspotcom201409timcookfromappletalksprivacywehtmlppData selling both legal and illegal is repackaging your data as well and theres a rub there to as after you have been flipped a couple times finding the origins of the errors could be impossible and I myself have had that issue I even had Senators Schumer and Warren reading some of my posts again seeing visits from my statsppThis is a huge concern and as Dr Halamka recently said at Harvard its a war out there keeping patient records safe from hackers Again this was life insurance here but who knows if repackaging took place I kind of doubt it as I read this one but you never know ppIn addition if you wan to see a wild video theres a game out called Data Dealer and they did a great job with the dramatics on the video to drive the point home and made a game to exploit the epidemic and the irony here is that its so true ppAgain its what goes on with data selling for profit that has not been declared as illegal or needing regulation that keeps driving what was nicely detailed in this article as to the harm that can occur Its very scary and needs attention now pphttpducknetwebblogspotcom201406datasellinganddirectcorrelationtohtmlppI tend to wonder how many legitimate companies are buying these datappThe thing that pops out to me is that this is a small insurer Not a big guy It does well to dispose of the were too small so we fly under the radar myth that some small companies seem to haveppSome of the other posters may be misunderstanding how insurance works When you go buy insurance from a guy in a strip mall hes not actually insuring you Hes just an agent who sells insurance for a big company often several of them Just a middlemanppThe actual insurance company is in some big city in a giant building made out of granite with pillars and a giant fountain out front Its got an army of info sec employees keeping your PII safe Or in this case its just a tiny office in a strip mall nestled between a McDonalds and a Dollar TreepphttpswwwgooglecommapsplaceAmericanIncomeLifeInsuranceCompany31532001797189246318zdata4m23m11s0x864f840e32c955e70x53c97dec63c06aa2ppThe most valuable personal information in the Digital Age is personal health information HIPAA has penalties for data breaches but HIPAA has actually enabled massive hidden legal data flows and sales of the health data of everyone in the US Our rights to give consent before our health information is disclosed was eliminated in 2002 by the federal agency called Health and Human Services HHSppUS patients have NO map to locate where our health data flows and no chain of custody for our health data Patient Privacy Rights and Harvard have been trying to build a data map See httpwwwthedatamaporg and httpthedatamaporgstateshtml and httpthedatamaporghistoryhtmlppUnlike banking transactions which we can look at control 247 online there is no way to track ANY uses of our health data which includes financial informationppThe global hidden health data broker industry far exceeds sales of personal data by data brokers like Acxiom Experion Lexis Nexis etc ppThe worlds leading health data broker buys sells and trades longitudinal realtime health profiles profiles of 500M people 240M from the US with 100000 health data suppliers covering 780000 live daily data feeds The profiles contain personal info from EHRs our prescription records our claims data and health info we post on social media The profiles are used and sold to 5000 customers including the US governmentppThis is greatest data breach youve never heard of the hidden sale and use of every Americans most sensitive personal data by over 4 million providers called covered entities ppThis privacy disaster was caused when HHS eliminated the requirement that patients give consent BEFORE our health information can be disclosed Now any company that holds our health data is entitled to sell it and use it in ways that we would never agree toand the sales trades and disclosures of personal health data have created a hidden global industry worth 100s of billions of dollarsyear The UK sells patient data tooppSee my TEDx Talk on this at httpswwwyoutubecomwatchvrRkGTNnEHk0ppRead more about all of this at httpwwwpatientprivacyrightsorgppIts time to tweet MyHealthDataIsMinePLEASE alert everyone you know to help end this massive hidden industry and RESTORE our rights to control personal information our rights to privacyppThe apparent locus of the breach being mostly the Pacific Northwest and Washinngton State in particular points to a problem with the agency Altig International which sells policies for American Income Life in that region My guess is Altig International is the problem rather than data mining American income or its holding company Torchmark a component of the SandP 500 Altig International out of Redmond Washington has a nefarious history in 2012 the Washington State Insurance Commissioner found Altig was using unlicenced agents and adding extra policies to folks already insured by American Income Life without those folks consent The majority of insurees of ALI are union or credit union members The insurance is a union benefit offered as a payroll deduction or a credit union charge on accounts Altig agents were calling these insurees and falsely adding on extra policies without consent of the insurees Google has also tangled with AIL Seems a simple Google of AIL gets you plenty of links to Altig stories and AIL AIL sued Google for the search engine results Google did not alter its search engine needless to say My guess is Altig is involved in the breachppI happen to be one of the poor people who had their info taken They will do nothing about the joint application and American Income Life Insurance Company is not helping with filing all the paperwork to help now that my ID is no good Someone has already opened credit card accounts in our names they have all our info We have a mess to clean up and they wonder why we are not happy to keep policies with them The breach came from agents in Washington state If you did anything with them this year you to could be ruinedppLooks like some of the good folks on this website dont understand that Torchmark is liable for their agents conduct Not only that a quick check with the NAIC would have shown that there were regulatory issues with the companyppAnd not only that but the NAIC model rules require that a TPA Third Party Administrator or MGA Managing General Agent are to be periodically audited by TorchmarkppSo Torchmark is in violation of the MGA Model Audit law and will be subject to fines and sanctions in the state where American Income Life is domiciled if its Texas I would bet that the department will look the other way its bad for biznessThey are also responsible for the conduct of their agent if I were a regulator I would also be looking at the contract with the MGA you cant outsource compliance with data breach law to a 3rd partyppBut by eating the right foods at the optimum periods
during the day you will notice a sudden shift in your weight and best of
all youre still eating a healthy varied diet that is giving
you the right amounts of vitamins and minerals to function at your best each day
In fact many people fail to achieve their goals in dieting
Besides the aid of a expert fitness trainer and realizing the proper way to
do unique workouts presents a scientific edge to your exercise routine regimenppIn other news fullz are selling for cheap The value is going down The economy for medical information is tanking Perhaps its too difficult and time consuming to monetize Probably Credit due to our inefficient healthcare system ppThe good stuff is IP credit cards financial accounts and bank instructions and zero days No matter how hard healthcare attorneys or healthcare CISOs looking for budget try to argueppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Thursday 18th of September 2014 1040 AM
ppSadly if you use a local agent your data is only as secure as the local insurance agents office computer Having worked on a few I can tell that your information is not safe at all You are better off applying on the main companies website than trusting your PII to a local guy with a laptopppThese agents think nothing of asking you to email your SSN to themppYou refer to medical ID theft which wouldnt apply here To me medical ID theft is stealing medical insurance information not life insurance information so that a duplicate medical identification card can be made and the scammer can then receive medical treatment under the victims health insurance policy Depending on the insurance policy the victim may not notice the fraud for some time This is completely different than opening a credit account in the victims name which is good old identity theftppWell Im far from an expert in medical ID theft to be sure but there seems to me enough information in each of these documents to be able to counterfeit a health insurance card if thats all it takesppI suspect medical information is most useful to Medicare scammers who submit fraudulent billings for services that werent deliveredppTo prepare a duplicate medical insurance card you need the name of the carrier the group number and the individuals account number which hopefully is no longer the Social Security Number If that medical information is in the life insurance data then yes medical insurance cards can be createdppNote that the security on a medical insurance card compared to a credit card is nonexistent However you typically need identification with the medical card so a drivers license or something similar would also need to be producedppThe duplicate you is used to dupe others and ply the Medicaid fraud trade If caught the real you will need a lawyer to prove you are the real you and didnt do the crime In war the onus of guilt is reversed You need to prove you are innocent They dont need to prove you are guilty People doing time promotes overtime for corrections workers who happen to be sitting on bad mortgages and other debt you can help pay off sitting in the cooler This is the US suicide economy Youll be in jail and out shopping at Home Depot at the same timeppCorporations are neither physical nor metaphysical phenomena They are socioeconomic ploys legally enacted gameplaying agreed upon only between overwhelmingly powerful socioeconomic individuals and by them imposed upon human society and its all unwitting members Gruch of GiantsppIn Canada the SIN roughly equivalent to the US SSN is the verification key for most financial records ppIf you can guess figure out someones employer you can often guess their insurer retirement provider and with the information Brian described itd be trivial to get them to tell you the account numbers ppId expect the same behavior in the USppAre there any laws on the books that protect consumers or fine companies that fail to protect their customers vital informationppWhat does it matter The law only applies if the company gets caught violating it which usually only happens after a breach after the damage to the consumer has been done And fines in no way benefit the consumer they just put more money in the governments pocketppIf punative fines were large enough it could act as a deterrentppId disagree Look at Target any forthcoming fines aside they knew a data breach would be a PR nightmare and a loss of sales yet they ignored their security system and let it happen I dont see the threat of larger fines as a deterrentppThe problem with government fines is they were written for much smaller entities With todays massive corporations the fines either need to be increased or tied to the size of the company When youre a massive corporation you get a massive fine when youre a small business you get a smaller fine The problem is that the massive businesses get small business sized fines and theyre laughed off as a cost of doing businessppWhat regulations should do is also allow customers affected to sue the company for damages So not only do they get a massive fine they also get lawsuits coming at them left and right from all the individuals whose lives they ruinedppHIPAA is rather strong and includes penalties which include jail time The largest HIPAA settlement was in May with New YorkPresbyterian Hospital and Columbia University The settlement amount totaled 48 million As far as I can tell no one has gone to jail for a widespread leakppNew YorkPresbyterian Hospital is one of the largest and most comprehensive hospitals in the United States Columbia University has an 8B endowment A 48M fine is pocket change to these companies and is probably covered by their insurance policies anyway at an annual cost to them of maybe 100kppIMHO companies should learn to only register data they really needppCompanies trade and sell our personal information all the time so they lean toward gathering as much of it as possible whether they need it or notppRonm you are right why would the applicants of American Income Life give their bank account numbers BEFORE knowing if the company had even approved giving them life insurance I would never provide that kind of personal financial information BEFORE completing the transaction which in this case was applying to receive approval Once the life insurance company said Yes well insure you THEN you make arrangements to pay But just handing over your bank account info without a reason Just dumbppIf I am reading that correctly if a persons medical records are being stolen then thats a violation of the HIPAA laws against the insurance companyppI was under the impression that HIPPA was like PCI it is the minimum bar for compliance but no substitute for real security The difference is that one is legally mandated and the other is mandated by industryppSo HIPAA requires companies handling personally identifiable medical data to protect it and failure to do so result in fines like 45 million levied against New York and Presbyterian Hospital NYP and Columbia University CU earlier this yearppHIPAA regulations describe some of the basic safeguards to protect information and if any of the people whose records are on sale on the black market refer their case to OCR at HHS the insurance company or other entity that was the source of the leak could be finedppNote that being HIPAA compliant is a somewhat meaningless phrase in terms of level of protection afforded to data The regulations dont cover all eventualities However a reasonableness standard is implied In other words if a company failed to use a security control that was reasonable and that resulted in the data theft they would be liable both to OCR sanction and to a suit for damages by a victimppIt would be interesting to see what rights the applicants waived when they signed the application for insurance People sign all kinds of stuff without reading it and insurance companies including authorization to share informationppMy phone number is one digit off in the more significant digit part from the fax line of a doctors office From time to time I get fax calls to my number On a few occasions I have gotten out my old laptop with a modem and fax software and intercepted those faxes that is how I learned what the situation was Once my phone started ringing at 3 AM In a panic is there ever a good call at 3 AM I answered only to hear fax tones Youre damn sure I intercepted that one It was from an area hospital informing the doctor one of his patients had died Not exactly emergency communications I sent a scathing email to the hospitals privacy officer Never heard back but I can only hope someone was scheduled for immediate extreme rectal surgeryppApparently you can collect bounties for reporting HIPPA violations to the government I havent intercepted and faxes since I learned that unfortunatelyppIt would be interesting to know if there are auditing services to help ensure the privacy of both financial and medical records It would be good for business if they the medical office and any insurance offices they deal with could produce a statement not only of compliance with applicable law but with pursuit of excellence in computer securityppIIRC Target had a reputation for being quite security conscious but they were hacked anyway through an ingenious methodppThere can be other uses for the medical data depending on how detailed it actually is if there are any clinical codes ICD9 or CPT provided etcppThe HIPAA question would probably be best answered by an attorney As far as I see it if the patient supplied the health data to the life insurance company personally then the company probably is not covered under HIPAA The patient can give their own data to whomever they choose The key is whether the life insurance company is considered a Covered Entity or a Business Associate Business associates would be those that get patient data from the health care provider to do things like billing or marketing etc Since they are not engaged in supplying or supporting patient care I am guessing the life insurance companies are not covered HIPAA attorney input neededppI totally understand the first poster I was just signing up for car insurance with a small local insurer and while I was at the guys office in the local strip mall he was typing my info into his laptop while complaining about strange pop up I almost walked out when I heard it Seriously how secure can his laptop beppWe should have the set of laws in this country that mandates responsibility from whoever wants our personal informationppSo you want Fraud Protection
Yes Frog Protection
You are saying Fraud Protection right
Yep Frog Protection I think were on the same pageppFor those who havent seen it this is an excerpt from a credit card ad currently running on TV in the USppAbout the questionscomments posed by
Anonymous laws on the books that protect consumers or fine
TheOreganoRouteronionit HIPAA
Bob Stromberg auditing services to help ensure the privacy of both financial and medical records
Jean HIPAApphttpwwwailifecomstandarditemsHIPAAPrivacyNoticeaspx
Complaints If you believe we American Life Insurance Company have violated your privacy rights you have the right to complain to us or to the Secretary of the US Department of Health and Human Services You may file a complaint with us at our Contact Office below We will not retaliate against you if you choose to file a complaint with us or with the US Department of Health and Human Servicesppyou have the right to complain to us or to the Secretary of the US Department of Health and Human ServicesppComplain about your own stupidity for giving them your private information via the defective website Ha ha ha ha In a broken system being broke is a virtue This new system is based on VA healthcare with postal management Remember when this sort of thing resulted in company liquidations No more With more victims theyll get a bigger agency budget If not a victim you can apply for associate victim status and get a cardpp
I think its absolutely touchandgo whether were going to make it But the point is for me to tell you that you have an option is not to be optimistic Time and again of course I am running into millions who dont know we have the option because its invisible and I feel I have tremendous responsibility So when people ask me to come and talk to them I do my best to let them know they do have the option Of course theyre pessimistic not knowing that
BuckyppThere is one GLARING problem here Unlike credit bureaus TransUnion Experian Equifax etc that you can contact to dispute incorrect information in your credit file there is no such agency for correcting your health history records If anyone has their medical insurance hijacked theres NO WAY TO REPAIR IT It is currently a permanent record with no rights to change information contained within ppFurthermore EMR Electronic Medical Records will make it nearly impossible to protect your data as I personally see that as the next HVT High Value Target of scammers and fraudsters EMR has made all of your data potentially accessible to the world whereas in the olden days you only needed to worry about the security system in your doctors office in case of burglaryppA 25 cent pen and cheap clipboard have been replaced with a 300 tablet This is a mustread and priceless vs a read em and weep They have managed to make it unaffordable and insecure The iHealth platform is making more dorks with fewer optionsppHowever there is some danger that when the actual proposed rules are written the focus on the Internet will be lost Par for the course now days New rules and written to benefit those who make money writting rules aka bureaucrats If you dont apply for the new plans using the dangerous insecure system youll be fined for not being in compliance Now the focus is on life insurance scams resulting from scams resulting in wrinkles in Obamacare You can keep your death benefits The people who planned this also planned a better Iraq The criminal state is growing along with the debtppLife insurance companies are known to require medical exams for applicants and there is probably more than enough information on these documents to commit gawd knows what kind of fraud I was chilled when I read this as I can see innocent people experiencing what Anndorie Sachs went through See 7 on httpwwwcrackedcomarticle19973the8creepiestcasesidentitytheftalltimehtmlppFor whatever financial issues one might be caused by economic types of fraud they are far outshined in the risks to the victims when it comes to medical fraudppGood article and great coverage here I have been saying for 3 years we have a big problem with the very profitable data selling epidemic in the US both legal and illegal We do wonder if some of the actual legal data selling borders on illegal too at times with privacyppTheres no doubt that the legal unregulated business being open like the wild west only serves to pump up the illegal activity as if there was no value nobody would mess with it ppYou should also be very aware that as part of their business that life insurance company is also busy buying and selling data on their policy holders too so they have knowledge of how it all works for profit As an example United Healthcare is one of the biggest data sellers in the US as 13 of their revenue comes from their technology efforts and not policies and thus some of the business lines they are into kind of sit on an edge of ethics at times as wellppI was absolutely pleased when I heard Tim Cook from Apple speak about privacy too as he used my lingo on my 3 year campaign I have to get Congress to pass a law to license all data sellersdistributors Theres many benefits to that but the most obvious is to easily identify those who have been identified as a licensed data seller versus a black market operation like this one You can read more here if you like at the link below but I have been beating this drum with the FTC Senate and more for 3 years Apple of late I have seen has been reading a few of my privacy blog posts as well pphttpducknetwebblogspotcom201409timcookfromappletalksprivacywehtmlppData selling both legal and illegal is repackaging your data as well and theres a rub there to as after you have been flipped a couple times finding the origins of the errors could be impossible and I myself have had that issue I even had Senators Schumer and Warren reading some of my posts again seeing visits from my statsppThis is a huge concern and as Dr Halamka recently said at Harvard its a war out there keeping patient records safe from hackers Again this was life insurance here but who knows if repackaging took place I kind of doubt it as I read this one but you never know ppIn addition if you wan to see a wild video theres a game out called Data Dealer and they did a great job with the dramatics on the video to drive the point home and made a game to exploit the epidemic and the irony here is that its so true ppAgain its what goes on with data selling for profit that has not been declared as illegal or needing regulation that keeps driving what was nicely detailed in this article as to the harm that can occur Its very scary and needs attention now pphttpducknetwebblogspotcom201406datasellinganddirectcorrelationtohtmlppI tend to wonder how many legitimate companies are buying these datappThe thing that pops out to me is that this is a small insurer Not a big guy It does well to dispose of the were too small so we fly under the radar myth that some small companies seem to haveppSome of the other posters may be misunderstanding how insurance works When you go buy insurance from a guy in a strip mall hes not actually insuring you Hes just an agent who sells insurance for a big company often several of them Just a middlemanppThe actual insurance company is in some big city in a giant building made out of granite with pillars and a giant fountain out front Its got an army of info sec employees keeping your PII safe Or in this case its just a tiny office in a strip mall nestled between a McDonalds and a Dollar TreepphttpswwwgooglecommapsplaceAmericanIncomeLifeInsuranceCompany31532001797189246318zdata4m23m11s0x864f840e32c955e70x53c97dec63c06aa2ppThe most valuable personal information in the Digital Age is personal health information HIPAA has penalties for data breaches but HIPAA has actually enabled massive hidden legal data flows and sales of the health data of everyone in the US Our rights to give consent before our health information is disclosed was eliminated in 2002 by the federal agency called Health and Human Services HHSppUS patients have NO map to locate where our health data flows and no chain of custody for our health data Patient Privacy Rights and Harvard have been trying to build a data map See httpwwwthedatamaporg and httpthedatamaporgstateshtml and httpthedatamaporghistoryhtmlppUnlike banking transactions which we can look at control 247 online there is no way to track ANY uses of our health data which includes financial informationppThe global hidden health data broker industry far exceeds sales of personal data by data brokers like Acxiom Experion Lexis Nexis etc ppThe worlds leading health data broker buys sells and trades longitudinal realtime health profiles profiles of 500M people 240M from the US with 100000 health data suppliers covering 780000 live daily data feeds The profiles contain personal info from EHRs our prescription records our claims data and health info we post on social media The profiles are used and sold to 5000 customers including the US governmentppThis is greatest data breach youve never heard of the hidden sale and use of every Americans most sensitive personal data by over 4 million providers called covered entities ppThis privacy disaster was caused when HHS eliminated the requirement that patients give consent BEFORE our health information can be disclosed Now any company that holds our health data is entitled to sell it and use it in ways that we would never agree toand the sales trades and disclosures of personal health data have created a hidden global industry worth 100s of billions of dollarsyear The UK sells patient data tooppSee my TEDx Talk on this at httpswwwyoutubecomwatchvrRkGTNnEHk0ppRead more about all of this at httpwwwpatientprivacyrightsorgppIts time to tweet MyHealthDataIsMinePLEASE alert everyone you know to help end this massive hidden industry and RESTORE our rights to control personal information our rights to privacyppThe apparent locus of the breach being mostly the Pacific Northwest and Washinngton State in particular points to a problem with the agency Altig International which sells policies for American Income Life in that region My guess is Altig International is the problem rather than data mining American income or its holding company Torchmark a component of the SandP 500 Altig International out of Redmond Washington has a nefarious history in 2012 the Washington State Insurance Commissioner found Altig was using unlicenced agents and adding extra policies to folks already insured by American Income Life without those folks consent The majority of insurees of ALI are union or credit union members The insurance is a union benefit offered as a payroll deduction or a credit union charge on accounts Altig agents were calling these insurees and falsely adding on extra policies without consent of the insurees Google has also tangled with AIL Seems a simple Google of AIL gets you plenty of links to Altig stories and AIL AIL sued Google for the search engine results Google did not alter its search engine needless to say My guess is Altig is involved in the breachppI happen to be one of the poor people who had their info taken They will do nothing about the joint application and American Income Life Insurance Company is not helping with filing all the paperwork to help now that my ID is no good Someone has already opened credit card accounts in our names they have all our info We have a mess to clean up and they wonder why we are not happy to keep policies with them The breach came from agents in Washington state If you did anything with them this year you to could be ruinedppLooks like some of the good folks on this website dont understand that Torchmark is liable for their agents conduct Not only that a quick check with the NAIC would have shown that there were regulatory issues with the companyppAnd not only that but the NAIC model rules require that a TPA Third Party Administrator or MGA Managing General Agent are to be periodically audited by TorchmarkppSo Torchmark is in violation of the MGA Model Audit law and will be subject to fines and sanctions in the state where American Income Life is domiciled if its Texas I would bet that the department will look the other way its bad for biznessThey are also responsible for the conduct of their agent if I were a regulator I would also be looking at the contract with the MGA you cant outsource compliance with data breach law to a 3rd partyppBut by eating the right foods at the optimum periods
during the day you will notice a sudden shift in your weight and best of
all youre still eating a healthy varied diet that is giving
you the right amounts of vitamins and minerals to function at your best each day
In fact many people fail to achieve their goals in dieting
Besides the aid of a expert fitness trainer and realizing the proper way to
do unique workouts presents a scientific edge to your exercise routine regimenppIn other news fullz are selling for cheap The value is going down The economy for medical information is tanking Perhaps its too difficult and time consuming to monetize Probably Credit due to our inefficient healthcare system ppThe good stuff is IP credit cards financial accounts and bank instructions and zero days No matter how hard healthcare attorneys or healthcare CISOs looking for budget try to argueppComments are closedppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
