Unauthorized inside access caused SCAN Health breach

Register now

The cyber attack on Medicare prescription drug plan vendor SCAN Health Plan affecting 87,000 beneficiaries raises questions about how the organization didn’t know that its data was compromised for four months after its systems were breached.

The answer is not a simple one, says Dana Simberkoff, chief compliance and risk officer at AvePoint, a vendor of onsite, cloud-hosted and software security services. “I would love to say they are in the minority, but we know that’s not the case,” Simberkoff adds.

Healthcare organizations typically focus security efforts on protecting the network perimeter from an outside attack. But this breach was an inside job, at least in part, and those defenses are not being given enough security attention.

That explains how an organization wouldn’t discover that it had been breached for four months, because outside intruders are easier to detect than an inside effort, as more security technology is focused on the outside, Simberkoff explains.

That’s why it is so important to increase the focus on inside threats, whether malicious or accidental, and understand the need for least-privilege access to data for employees and contractors—giving them just the data they need to do their jobs and no access to other data, Simberkoff counsels. “They should not have access to the information that was apparently accessed.”

SCAN Health learned on June 27 that contact sheets used for sales purposes had been accessed and possibly viewed as early as March.

In a statement, SCAN Health said a member called the plan to report a sales solicitation from an individual claiming to represent the organization. An investigation found that the legitimate credentials of an employee were accessed and used for the unauthorized purpose of client development for an outside insurance agency.

“This was use of legitimate credentials to access a marketing database outside of the firewall because contractors, primarily brokers, use it, so we would not discover it as an intrusion,” says Nancy Monk, chief administrative officer at SCAN Health. In short, with credentials in hand to get in the database, it looked like an authorized use of access but instead data was used for unauthorized purposes.

SCAN Health spends millions of dollars annually in privacy and security initiatives, trying to keep up with all the threats, Monk says. The organization now is looking at the how to boost security of the database, as well as looking for vulnerabilities in other information systems.

Less than half of the 87,000 affected members are active members, but information on others who no longer have coverage under SCAN Health remained in the database. Members and former members primarily are senior citizens, according to Monk. That’s why even though fewer than 500 Social Security numbers were at risk, the decision was made to offer a suite of protective services to all to enable a senior population to feel as secure as possible.

Simberkoff says employees at provider organizations need to take security more seriously. “Right now, security is still (viewed as) a barrier to productivity and employees find a way around it.” Data should be tagged and classified in information systems to make it more difficult to steal, Simberkoff says. And, companies need a comprehensive breach response and communications plan, and need to be as transparent as possible when an incident occurs.

For reprint and licensing requests for this article, click here.