Risk Scenario

Undercut

A social engineering cyber attack results in a massive loss of medical records, a reputational hit and a merger gone bad.
By: | October 20, 2015 • 7 min read
Risk Scenarios are created by Risk & Insurance editors along with leading industry partners. The hypothetical, yet realistic stories, showcase emerging risks that can result in significant losses if not properly addressed.

Disclaimer: The events depicted in this scenario are fictitious. Any similarity to any corporation or person, living or dead, is merely coincidental.

Engineer This

This was so much easier than hacking a system by harnessing software technology and using multiple computers and proxy servers. Still, it took a little bit of phone work.

Scenario_Undercut

A member of SubPrime OverKill, a group of financially motivated hackers going by the acronym SPOK, called the headquarters of Atlas Health Systems on the morning of Monday, July 1.

“Hi,” the hacker said in a friendly voice, when an operator answered the phone. “Can I please have the name of your head of Information Technology?”

“I’m not authorized to give that out,” the national hospital system operator said.

“OK,” the hacker said and hung up before the operator could ask him why he was calling.

It took him six more calls to get what he needed. He didn’t get the name of the head of IT, but he finally got the name of someone else in that department.

The hacker’s next call was to that office.

“Keith Duvall, please,” the hacker said in a much sterner voice when Duvall’s assistant answered.

“Who may I say is calling please?” Duvall’s assistant said.

Partner

Partner

“This is Special Agent Frank Dermont of the Federal Bureau of Investigation’s Cyber Security Bureau. We’ve confirmed that your computer system has been hacked and we need to access it immediately,” the hacker said.

The ruse was working so far. The assistant got flustered.

“Well, Keith’s not in right now, he’s…he’s in Kansas City,” she said.

“We need his username and password! Your system is under attack right now and crucial life-saving machinery in your hospitals’ neo-natal and intensive care units could be shut off within minutes,” the hacker said.

“Give me the username and password now or face obstruction of justice charges!” the hacker said.

“Wait, wait just a second, I have it here,” the assistant said, the thought of infants and the critically ill dying by the dozens overwhelming her.

The flustered assistant then gave the phony FBI agent a super administrator password and username.

And SPOK was in the hen house.

Over the next four months, unknown to hospital administrators, the hackers siphoned off hundreds of thousands of medical records from the large hospital system’s computer system.

At $80 per medical record, the thieves were making millions selling the records on the black market. And no one within the Atlas Health System administration had any notion of what they were up to.

Merging Blind

Two months after the hack, Dale Reed, director of risk management for a smaller hospital system, The Magnolia Group, received information that Atlas was planning to buy Magnolia and merge the two hospital systems.

Scenario_Undercut

There was already plenty on Reed’s plate. The demands of the Affordable Care Act and the escalating number of cyber attacks on not only health insurers, but health care providers, was causing him great concern.

“Now this,” Reed said as he looked over an email from the Magnolia Group CFO, outlining the ways in which the terms of the Atlas deal were projected to impact various departments.

The good news for Reed was that it appeared his job was safe.

The challenge for Reed was that he was going to have to work hand in hand with the IT professionals and risk management team at Atlas in building a secure information technology system.

The deal was set to close in November and the C-suites with both hospital groups were expecting the systems to be fully integrated and secure by the end of the year.

“Don’t expect to see much of me,” Reed told his wife. “I’ve got some long work days ahead of me.”

In mid-October, as the merger moved closer to becoming a reality, Reed sought clearance for and obtained permission from higher-ups to begin conversations with the IT and risk management departments at Atlas to discuss systems integration and security.

Advertisement




In conversations with Atlas officials, Reed took away two things that concerned him. One, it appeared Atlas did not use a two-factor authorization system to gain access to the hospital’s IT system.

If a hacker chose to target Atlas, Reed thought, all they’d have to do is get an IT administrator’s username and a password and they were in.

Two, in discussions with Atlas’ risk management department, it appeared that a cyber-attack incident response plan, while being developed, was not yet in place at Atlas.

Working late one night in the office, Reed deduced that he couldn’t be passive. He needed to take steps to make sure the combined hospital system’s IT system was not only integrated but secure.

The Atlas/Magnolia merger closed as expected Nov. 16. The Magnolia name would go away and the system would keep the name Atlas.

The following day Reed asked for and received permission to hire an IT audit firm that he’d worked with before to examine the Atlas system, which was now in the process of being integrated with the Magnolia system.

The audit team was two days into its three-month contract when Reed got a call from the audit team’s chief examiner.

“The Atlas Health System network was breached back in July,” the examiner said.

“What?” was all Reed could say.

“We estimate hundreds of thousands of medical records have been stolen by a group that goes by the acronym SPOK. They might have taken as many as a million records.”

“You’ve got to be kidding me,” Reed said.

“We’re not kidding you, Dale,” the examiner said. “And it looks like some former Magnolia Group records might already have been lifted,” the examiner said.

The news that Atlas was four months into a massive cyber attack and that close to a million records were pilfered was of course very painful for Keith Duvall and his superiors in the IT department and treasury.

When it became known that it was the IT department’s very own super administrator username and password that were used to breach the system, the head of Atlas IT resigned.

Dale Reed had taken the initiative and hired the IT audit team that found the breach. Now he would have the added responsibility of cleaning up the mess. Or trying to.

Pain. No Gain.

The next day, Reed was back on the phone, this time with the IT audit team’s chief examiner and his insurance broker.

Scenario_Undercut

“These aren’t like credit card numbers,” the broker was saying, as Reed felt sharp anxiety pains in his abdomen.

“It could take months to figure out what services, pharmaceutical, whatever, are being ordered with this stolen information. This medical information can go for $80 per record on the black market, it’s much more valuable than a credit card number and much harder to shut down,” the broker said.

The next morning’s newspaper told Reed and the rest of the Atlas executives a story they never thought they would read and would never want to read again.

SPOK sold information about the embarrassing medical conditions of a number of regional business, political and other public sector leaders to unscrupulous bloggers and those details were published online.

Examples included a local school superintendent with a sexually transmitted disease, the CEO of a local company who had bariatric surgery but didn’t want the information publicly disclosed, and the wife of a local pastor who was suffering from complications from breast implants.

“Did you see this?” came the panicked email from the Atlas CFO, including a link to the story.

“Saw it,” was Reed’s only response.

A class action lawsuit soon followed. The plaintiffs alleged that the combined company failed to conduct ample due diligence into the vulnerabilities of its IT system.

The reputational damage from the lost and sold medical records spurred Atlas executives to accelerate planned upgrades to their IT system. Millions in IT expenditures they’d expected to spread over 10 years were compressed to a two-year spend.

Add to that the notification costs and legal expenses connected to the breach and the defense of the class actions, and it became painfully clear that Magnolia and Atlas should never have merged at all.

Bar-Lessons-Learned---Partner's-Content-V1b

Risk & Insurance® partnered with Swiss Re Corporate Solutions to produce this scenario. Below are Swiss Re Corporate Solutions’ recommendations on how to prevent the losses presented in the scenario. This perspective is not an editorial opinion of Risk & Insurance®.

Even the best-trained employees click on 2% of spam phishing emails. Once a hacker has access to your network, the ramifications are endless. The monetary costs of a breach can be in the billions of dollars, but losses aren’t just financial. After a cyber attack, companies face reputational and legal consequences, as well.

In our increasingly digitized world, computer hacks aren’t just the stuff of fiction. They’re a very real part of doing business. And almost all companies – large or small, public or private – are at risk. So when an attack does occur, you don’t want to be alone. You want a teammate you can depend on to mitigate your losses.

Swiss Re Corporate Solutions understands the threats you’re facing. That’s why we’ve enlisted the very best partners to help you protect your business after a breach. Our on-call vendors are elite forensics firms, law firms, breach notification firms, and call centers, so you can rest easy when the worst happens.

Swiss Re Corporate Solutions means knowledge, experience, financial and global reach. Let our experts create customized solutions that are right for your business. Visit www.swissre.com/cyber.




Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]