18
Sep 14

Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

The "Fraud Related" section of the Evolution Market.

The “Fraud Related” section of the Evolution Market.

Purloined medical records are among the many illicit goods for sale on the Evolution Market, a black market bazaar that traffics mostly in narcotics and fraud-related goods — including plenty of stolen financial data. Evolution cannot be reached from the regular Internet. Rather, visitors can only browse the site using Tor, software that helps users disguise their identity by bouncing their traffic between different servers, and by encrypting that traffic at every hop along the way.

Last week, a reader alerted this author to a merchant on Evolution Market nicknamed “ImperialRussia” who was advertising medical records for sale. ImperialRussia was hawking his goods as “fullz” — street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a person’s name.

Each document for sale by this seller includes the would-be identity theft victim’s name, their medical history, address, phone and driver license number, Social Security number, date of birth, bank name, routing number and checking/savings account number. Customers can purchase the records using the digital currency Bitcoin.

A set of five fullz retails for $40 ($8 per record). Buy 20 fullz and the price drops to $7 per record. Purchase 50 or more fullz, and the per record cost falls to just $6.40 — roughly the price of a value meal at a fast food restaurant. Incidentally, even at $8 per record, that’s cheaper than the price most stolen credit cards fetch on the underground markets.

Imperial Russia's ad on Evolution pimping medical and financial records stolen from a Texas life insurance firm.

Imperial Russia’s ad pimping medical and financial records stolen from a Texas life insurance firm.

“Live and Exclusive database of US FULLZ from an insurance company, particularly from NorthWestern region of U.S.,” ImperialRussia’s ad on Evolution enthuses. The pitch continues:

“Most of the fullz come with EXTRA FREEBIES inside as additional policyholders. All of the information is accurate and confirmed. Clients are from an insurance company database with GOOD to EXCELLENT credit score! I, myself was able to apply for credit cards valued from $2,000 – $10,000 with my fullz. Info can be used to apply for loans, credit cards, lines of credit, bank withdrawal, assume identity, account takeover.”

Sure enough, the source who alerted me to this listing had obtained numerous fullz from this seller. All of them contained the personal and financial information on people in the Northwest United States (mostly in Washington state) who’d applied for life insurance through American Income Life, an insurance firm based in Waco, Texas.

American Income Life referred all calls to the company’s parent firm — Torchmark Corp., an insurance holding company in McKinney, Texas. This publication shared with Torchmark the records obtained from Imperial Russia. In response, Michael Majors, vice president of investor relations at Torchmark, said that the FBI and Secret Service were assisting the company in an ongoing investigation, and that Torchmark expected to begin the process of notifying affected consumers this week.

“We’re aware of the matter and we’ve been working with law enforcement on an ongoing investigation,” Majors said, after reviewing the documents shared by KrebsOnSecurity. “It looks like we’re working on the same matter that you’re inquiring about.”

Majors declined to answer additional questions, such as whether Torchmark has uncovered the source of the data breach and stopped the leakage of customer records, or when the company believes the breach began. Interestingly, ImperialRussia’s first post offering this data is dated more than three months ago, on June 15, 2014. Likewise, the insurance application documents shared with Torchmark by this publication also were dated mid-2014.

The financial information in the stolen life insurance applications includes the checking and/or savings account information of the applicant, and is collected so that American Income can pre-authorize payments and automatic monthly debits in the event the policy is approved. In a four-page discussion thread on Imperial Russian’s sales page at Evolution, buyers of this stolen data took turns discussing the quality of the information and its various uses, such as how one can use automated phone systems to verify the available balance of an applicant’s bank account.

Jessica Johnson, a Washington state resident whose records were among those sold by ImperialRussia, said in a phone interview that she received a call from a credit bureau this week after identity thieves tried to open two new lines of credit in her name.

“It’s been a nightmare,” she said. “Yesterday, I had all these phone calls from the credit bureau because someone tried to open two new credit cards in my name. And the only reason they called me was because I already had a credit card with that company and the company thought it was weird, I guess.”

ImperialRussia discusses his wares with potential and previous buyers.

ImperialRussia discusses his wares with potential and previous buyers.

More than 1.8 million people were victims of medical ID theft in 2013, according to a report from the Ponemon Institute, an independent research group. I suspect that many of these folks had their medical records stolen and used to open new lines of credit in their names, or to conduct tax refund fraud with the Internal Revenue Service (IRS).

Placing a fraud alert or freeze on your credit file is a great way to block identity thieves from hijacking your good name. For pointers on how to do that, as well as other tips on how to avoid becoming a victim of ID theft, check out this story.

Tags: , , , , , , , , , , , ,

41 comments

  1. Sadly if you use a local agent your data is only as secure as the local insurance agents office computer. Having worked on a few I can tell that your information is not safe at all. You are better off applying on the main companies website than trusting your PII to a local guy with a laptop.

    These agents think nothing of asking you to email your SSN to them.

  2. You refer to “medical ID theft” which wouldn’t apply here. To me, medical ID theft is stealing medical insurance information (not life insurance information) so that a duplicate medical identification card can be made and the scammer can then receive medical treatment under the victim’s health insurance policy. Depending on the insurance policy, the victim may not notice the fraud for some time. This is completely different than opening a credit account in the victim’s name, which is good old identity theft.

    • Well, I’m far from an expert in medical ID theft, to be sure, but there seems to me enough information in each of these documents to be able to counterfeit a health insurance card if that’s all it takes.

      • I suspect medical information is most useful to Medicare scammers who submit fraudulent billings for services that weren’t delivered.

      • To prepare a duplicate medical insurance card, you need the name of the carrier, the group number and the individual’s account number (which hopefully is no longer the Social Security Number). If that medical information is in the life insurance data, then, yes, medical insurance cards can be created.

        Note that the security on a medical insurance card compared to a credit card is nonexistent. However, you typically need identification with the medical card so a driver’s license or something similar would also need to be produced.

        • The duplicate you is used to dupe others and ply the Medicaid fraud trade. If caught, the real you will need a lawyer to prove you are the real you and didn’t do the crime. In war the onus of guilt is reversed. You need to prove you are innocent. They don’t need to prove you are guilty. People doing time promotes overtime for corrections workers who happen to be sitting on bad mortgages and other debt you can help pay off sitting in the cooler. This is the US suicide economy. You’ll be in jail and out shopping at Home Depot at the same time.

          “Corporations are neither physical nor metaphysical phenomena. They are socioeconomic ploys — legally enacted game-playing — agreed upon only between overwhelmingly powerful socioeconomic individuals and by them imposed upon human society and its all unwitting members.” Gruch of Giants

        • In Canada, the SIN (roughly equivalent to the US SSN) is the verification key for most financial records.

          If you can guess / figure out someone’s employer, you can often guess their insurer / retirement provider, and with the information Brian described it’d be trivial to get them to tell you the account numbers.

          I’d expect the same behavior in the US.

  3. Are there any laws on the books that protect consumers or fine companies that fail to protect their customers vital information?

    • What does it matter? The law only applies if the company gets caught violating it, which usually only happens after a breach, after the damage to the consumer has been done. And fines in no way benefit the consumer, they just put more money in the governments pocket.

      • If punative fines were large enough it could act as a deterrent.

        • I’d disagree. Look at Target, any forthcoming fines aside they knew a data breach would be a PR nightmare and a loss of sales, yet they ignored their security system and let it happen. I don’t see the threat of larger fines as a deterrent.

          • The problem with government fines is they were written for much smaller entities. With todays massive corporations, the fines either need to be increased or tied to the size of the company. When you’re a massive corporation, you get a massive fine – when you’re a small business, you get a smaller fine. The problem is that the massive businesses get small business sized fines and they’re laughed off as a cost of doing business.

            What regulations should do is also allow customers affected to sue the company for damages. So not only do they get a massive fine, they also get lawsuits coming at them left and right from all the individuals whose lives they ruined.

    • HIPAA is rather strong and includes penalties which include jail time. The largest HIPAA settlement was in May with New York-Presbyterian Hospital and Columbia University . The settlement amount totaled $4.8 million. As far as I can tell, no one has gone to jail for a wide-spread leak.

      • New York-Presbyterian Hospital is one of the largest and most comprehensive hospitals in the United States. Columbia University has an $8B endowment. A $4.8M fine is pocket change to these companies and is probably covered by their insurance policies, anyway, at an annual cost to them of maybe $100k.

  4. IMHO companies should learn to only register data they really need.

    • Companies trade and sell our personal information all the time, so they lean toward gathering as much of it as possible whether they need it or not.

  5. @Ronm, you are right — why would the applicants of American Income Life give their bank account numbers BEFORE knowing if the company had even approved giving them life insurance? I would never provide that kind of personal financial information BEFORE completing the transaction — which in this case was applying to receive approval. Once the life insurance company said, “Yes, we’ll insure you,” THEN you make arrangements to pay. But just handing over your bank account info without a reason? Just dumb.

  6. TheOreganoRouter.onion.it

    If I am reading that correctly, if a persons medical records are being stolen, then that’s a violation of the H.I.P.A.A. laws against the insurance company.

    • I was under the impression that HIPPA was like PCI – it is the minimum bar for compliance, but no substitute for real security…? The difference is that one is legally mandated and the other is mandated by industry.

      • So, HIPAA requires companies handling personally identifiable medical data to protect it, and failure to do so result in fines, like $4.5 million levied against New York and Presbyterian Hospital (NYP) and Columbia University (CU) earlier this year.

        HIPAA regulations describe some of the basic safeguards to protect information and if any of the people whose records are on sale on the black market refer their case to OCR at HHS, the insurance company or other entity that was the source of the leak could be fined.

        Note that being “HIPAA compliant” is a somewhat meaningless phrase in terms of level of protection afforded to data. The regulations don’t cover all eventualities. However, a reasonableness standard is implied. In other words, if a company failed to use a security control that was reasonable and that resulted in the data theft, they would be liable, both to OCR sanction and to a suit for damages by a victim.

        • It would be interesting to see what rights the applicants waived when they signed the application for insurance. People sign all kinds of stuff without reading it, and insurance companies, including authorization to share information.

    • My phone number is one digit off (in the more significant digit part) from the fax line of a doctor’s office. From time to time I get fax calls to my number. On a few occasions, I have gotten out my old laptop with a modem and fax software and intercepted those faxes – that is how I learned what the situation was. Once, my phone started ringing at 3 AM. In a panic, (is there ever a good call at 3 AM?) I answered only to hear fax tones. You’re damn sure I intercepted that one. It was from an area hospital, informing the doctor one of his patients had died. Not exactly emergency communications. I sent a scathing e-mail to the hospital’s privacy officer. Never heard back, but I can only hope someone was scheduled for immediate extreme rectal surgery.

      Apparently you can collect bounties for reporting HIPPA violations to the government. I haven’t intercepted and faxes since I learned that, unfortunately.

  7. It would be interesting to know if there are auditing services to help ensure the privacy of both financial and medical records. It would be good for business if they (the medical office and any insurance offices they deal with) could produce a statement not only of compliance with applicable law but with pursuit of excellence in computer security.

    IIRC, Target had a reputation for being quite security conscious, but they were hacked anyway (through an ingenious method).

  8. There can be other uses for the medical data, depending on how detailed it actually is, if there are any clinical codes (ICD-9 or CPT) provided, etc.

    The HIPAA question would probably be best answered by an attorney. As far as I see it, if the patient supplied the health data to the life insurance company personally then the company probably is not covered under HIPAA. The patient can give their own data to whomever they choose. The key is whether the life insurance company is considered a “Covered Entity” or a “Business Associate”. Business associates would be those that get patient data from the health care provider to do things like billing or marketing, etc. Since they are not engaged in supplying or supporting patient care, I am guessing the life insurance companies are not covered. HIPAA attorney input needed.

  9. I totally understand the first poster. I was just signing up for car insurance with a small local insurer and while I was at the guy’s office (in the local strip mall) he was typing my info into his laptop while complaining about “strange pop up.” I almost walked out when I heard it. Seriously, how secure can his laptop be?

    We should have the set of laws in this country that mandates responsibility from whoever wants our personal information.

  10. “So you want Fraud Protection?”
    “Yes, Frog Protection?”
    “You are saying Fraud Protection right?”
    “Yep, Frog Protection. I think we’re on the same page”

    • (For those who haven’t seen it, this is an excerpt from a credit card ad currently running on TV in the US.)

  11. About the questions/comments posed by:
    Anonymous (laws on the books that protect consumers or fine..?)
    TheOreganoRouter.onion.it (HIPAA)
    Bob Stromberg (…auditing services to help ensure the privacy of both financial and medical records)
    Jean (HIPAA)

    http://www.ailife.com/standard-items/HIPAA-Privacy-Notice.aspx
    “Complaints: If you believe we [American Life Insurance Company] have violated your privacy rights, you have the right to complain to us or to the Secretary of the U.S. Department of Health and Human Services. You may file a complaint with us at our Contact Office (below). We will not retaliate against you if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.”

    • “you have the right to complain to us or to the Secretary of the U.S. Department of Health and Human Services”

      Complain about your own stupidity for giving them your private information via the defective website? Ha ha ha ha. In a broken system being broke is a virtue. This new system is based on VA healthcare with postal management. Remember when this sort of thing resulted in company liquidations? No more! With more victims they’ll get a bigger agency budget. If not a victim you can apply for associate victim status and get a card.


      I think it’s absolutely touch-and-go whether we’re going to make it. But the point is, for me to tell you that you have an option is not to be optimistic… Time and again, of course I am running into millions who don’t know we have the option, because it’s invisible, and I feel I have tremendous responsibility. So when people ask me to come and talk to them, I do my best to let them know they do have the option. Of course they’re pessimistic, not knowing that.
      ” Bucky

  12. There is one GLARING problem here! Unlike credit bureaus (TransUnion, Experian, Equifax, etc.) that you can contact to dispute incorrect information in your credit file, there is no such agency for correcting your health history records. If anyone has their medical insurance hijacked there’s NO WAY TO REPAIR IT. It is currently a permanent record, with no rights to change information contained within.

    Furthermore, EMR (Electronic Medical Records) will make it nearly impossible to protect your data as I personally see that as the next HVT (High Value Target) of scammers and fraudsters. EMR has made all of your data potentially accessible to the world, whereas in the olden days you only needed to worry about the security system in your doctor’s office in case of burglary.

    • A 25 cent pen and cheap clipboard have been replaced with a $300 tablet. This is a must-read and priceless vs. a read ’em and weep. They have managed to make it unaffordable and insecure. The iHealth platform is making more dorks with fewer options.

      “However, there is some danger that when the actual proposed rules are written, the focus on the Internet will be lost.” Par for the course now days. New rules and written to benefit those who make money writting rules aka bureaucrats. If you don’t apply for the new plans using the dangerous insecure system you’ll be fined for not being in compliance. Now the focus is on life insurance scams resulting from scams resulting in wrinkles in Obamacare. You can keep your death benefits. The people who planned this also planned a better Iraq. The criminal state is growing along with the debt.

  13. Life insurance companies are known to require medical exams for applicants, and there is probably more than enough information on these documents to commit gawd knows what kind of fraud. I was chilled when I read this, as I can see innocent people experiencing what Anndorie Sachs went through. See #7 on http://www.cracked.com/article_19973_the-8-creepiest-cases-identity-theft-all-time.html

    For whatever financial issues one might be caused by economic types of fraud, they are far outshined in the risks to the victims when it comes to medical fraud.

  14. Good article and great coverage here. I have been saying for 3 years we have a big problem with the very profitable data selling epidemic in the US, both legal and illegal. We do wonder if some of the actual “legal” data selling borders on illegal too at times with privacy.

    There’s no doubt that the legal unregulated business being open like the wild west only serves to pump up the illegal activity as if there was no value, nobody would mess with it.

    You should also be very aware that as part of their business, that life insurance company is also busy buying and selling data on their policy holders too, so they have knowledge of how it all works for profit. As an example, United Healthcare is one of the biggest data sellers in the US as 1/3 of their revenue comes from their technology efforts and not policies and thus some of the business lines they are into kind of sit on an edge of ethics at times as well.

    I was absolutely pleased when I heard Tim Cook from Apple speak about privacy too as he used my lingo on my 3 year campaign I have to get Congress to pass a law to license all data sellers/distributors. There’s many benefits to that but the most obvious is to easily identify those who have been identified as a licensed data seller versus a black market operation like this one. You can read more here if you like at the link below, but I have been beating this drum with the FTC, Senate and more for 3 years. Apple of late I have seen has been reading a few of my privacy blog posts as well.

    http://ducknetweb.blogspot.com/2014/09/tim-cook-from-apple-talks-privacy-we.html

    Data selling, both legal and illegal is repackaging your data as well and there’s a rub there to as after you have been flipped a couple times, finding the origins of the errors could be impossible and I myself have had that issue. I even had Senators Schumer and Warren reading some of my posts, again seeing visits from my stats.

    This is a huge concern and as Dr. Halamka recently said at Harvard, “it’s a war out there keeping patient records safe from hackers”. Again this was life insurance here but who knows if repackaging took place. I kind of doubt it as I read this one but you never know.

    In addition if you wan to see a wild video, there’s a game out called “Data Dealer” and they did a great job with the dramatics on the video to drive the point home and made a game to exploit the epidemic and the irony here is that it’s so true.

    Again it’s what goes on with data selling for profit that has not been declared as illegal or needing regulation that keeps driving what was nicely detailed in this article as to the harm that can occur. It’s very scary and needs attention now.

    http://ducknetweb.blogspot.com/2014/06/data-selling-and-direct-correlation-to.html

  15. I tend to wonder how many “legitimate” companies are buying these data.

  16. The thing that pops out to me is that this is a small insurer. Not a big guy. It does well to dispose of the “we’re too small so we fly under the radar” myth that some small companies seem to have.

    Some of the other posters may be misunderstanding how insurance works. When you go buy insurance from a guy in a strip mall, he’s not actually insuring you. He’s just an agent who sells insurance for a big company, often several of them. Just a middleman.

    The actual insurance company is in some big city in a giant building made out of granite with pillars and a giant fountain out front. It’s got an army of info sec employees keeping your PII safe. Or in this case, it’s just a tiny office in a strip mall nestled between a McDonald’s and a Dollar Tree.

    https://www.google.com/maps/place/American+Income+Life+Insurance+Company/@31.5320017,-97.1892463,18z/data=!4m2!3m1!1s0x864f840e32c955e7:0x53c97dec63c06aa2

  17. The most valuable personal information in the Digital Age is personal health information. HIPAA has penalties for data breaches but HIPAA has actually enabled massive hidden ‘legal’ data flows and sales of the health data of everyone in the US. Our rights to give consent before our health information is disclosed was eliminated in 2002 by the federal agency called Health and Human Services (HHS).

    US patients have NO ‘map’ to locate where our health data flows, and no ‘chain of custody’ for our health data. Patient Privacy Rights and Harvard have been trying to build a data map. See: http://www.thedatamap.org/ and http://thedatamap.org/states.html and http://thedatamap.org/history.html.

    Unlike banking transactions which we can look at control 24/7 online, there is no way to track ANY uses of our health data (which includes financial information).

    The global hidden health data broker industry far exceeds sales of personal data by data brokers like Acxiom, Experion, Lexis Nexis, etc.

    The “world’s leading” health data broker buys, sells, and trades longitudinal, real-time health profiles profiles of 500M people (240M from the US) with 100,000 health data suppliers covering 780,000 live daily data feeds. The profiles contain personal info from EHRs, our prescription records, our claims data, and health info we post on social media. The profiles are used and sold to 5,000 customers including the US government.

    This is greatest data breach you’ve never heard of: the hidden sale and use of every American’s most sensitive personal data by over 4 million ‘providers’ (called ‘covered entities’).

    This privacy disaster was caused when HHS eliminated the requirement that patients give consent BEFORE our health information can be disclosed. Now any company that holds our health data is entitled to sell it and use it in ways that we would never agree to–and the sales, trades, and disclosures of personal health data have created a hidden global industry worth 100’s of billions of dollars/year. The UK sells patient data too.

    See my TEDx Talk on this at: https://www.youtube.com/watch?v=rRkGTNnEHk0

    Read more about all of this at: http://www.patientprivacyrights.org

    It’s time to tweet #MyHealthDataIsMine—PLEASE alert everyone you know to help end this massive hidden industry and RESTORE our rights to control personal information, our rights to privacy.

  18. The apparent locus of the breach, being mostly the Pacific Northwest and Washinngton State in particular, points to a problem with the agency Altig International which sells policies for American Income Life in that region. My guess is Altig International is the problem, rather than data mining American income or its holding company Torchmark, a component of the SandP 500. Altig International out of Redmond. Washington, has a nefarious history; in 2012, the Washington State Insurance Commissioner found Altig was using unlicenced agents and adding extra policies to folks already insured by American Income Life without those folks consent. The majority of insurees of ALI are union or credit union members. The insurance is a union benefit offered as a payroll deduction or a credit union charge on accounts.. Altig “agents” were calling these insurees and falsely adding on extra policies without consent of the insurees. Google has also tangled with AIL. Seems a simple Google of AIL gets you plenty of links to Altig stories and AIL. AIL sued Google for the search engine results. Google did not alter its search engine, needless to say. My guess is Altig is involved in the breach.

  19. I happen to be one of the poor people who had their info taken. They will do nothing about the joint application and American Income Life Insurance Company is not helping with filing all the paperwork to help now that my ID is no good. Someone has already opened credit card accounts in our names, they have all our info. We have a mess to clean up and they wonder why we are not happy to keep policies with them. The breach came from agents in Washington state!!!!! If you did anything with them this year you to could be ruined!!

  20. Looks like some of the good folks on this website don’t understand that Torchmark is liable for their agent’s conduct. Not only that, a quick check with the NAIC would have shown that there were regulatory issues with the company.

    And not only that, but the NAIC model rules require that a TPA (Third Party Administrator) or MGA (Managing General Agent) are to be periodically audited by Torchmark.

    So Torchmark is in violation of the MGA Model Audit law and will be subject to fines and sanctions in the state where American Income Life is domiciled (if it’s Texas, I would bet that the department will look the other way, it’s bad for bizness)…..They are also responsible for the conduct of their agent, if I were a regulator, I would also be looking at the contract with the MGA, you can’t outsource compliance with data breach law to a 3rd party.

  21. But by eating the right foods at the optimum periods
    during the day, you will notice a sudden shift in your weight, and best of
    all, you’re still eating a healthy, varied diet that is giving
    you the right amounts of vitamins and minerals to function at your best each day.
    In fact, many people fail to achieve their goals in dieting.
    Besides, the aid of a expert fitness trainer and realizing the proper way to
    do unique workouts, presents a scientific edge to your exercise routine regimen.

  22. In other news, fullz are selling for cheap. The value is going down. The economy for medical information is tanking. Perhaps it’s too difficult and time consuming to monetize? Probably. Credit due to our inefficient healthcare system.

    The good stuff is IP, credit cards, financial accounts and bank instructions and zero days. No matter how hard healthcare attorneys or healthcare CISOs looking for budget try to argue.