I'm sure if we took a quick poll, "My credit card number(s)" would be everyone's first response. If you watch the news often and stay up-to-date on the latest "quick tips" for personal web security, you probably know some hackers want your personal information, too. But some of the most recent data breaches like OPM, Excellus Blue Cross Blue Shield, and Anthem have brought concerns to light about the theft of healthcare data.
Why in the world do hackers want my healthcare information?
Think of what happens when you realize your credit card has been stolen, or unauthorized charges are appearing on your account. What do you do? More than likely, you call the card provider, freeze your account, and within a few days you can have a brand new card. Maybe the criminal made a few large purchases online before you caught them, but it's likely your card company will take care of the cost and your biggest headache will be proving to the card company that you are actually you.
But what happens when your social security number and health care records have been stolen? First off, how will you even know? Excellus Blue Cross Blue Shield had 10 million individuals to notify of their breach, which put customers' names, dates of birth, social security numbers, member identifications, financial information, and claims information at risk. And, in case you hadn't thought about this, there's no "freeze" or "quick cancel" button for your social security number and health records.
The FBI estimates that criminals may be able to sell your health care information for as much as $50 per record. In addition, since the sale of these types of records operates more like drug cartels, it isn't as easy to discover as compromised financial data, for which there is a prominent black market. And, if that isn't a good enough reason for criminals to target your health care data, the cost of healthcare is forcing people to seek out free medical care, even if it is stolen or unauthorized.
What can we learn from this?
The scariest part of all is that some hackers, like the infamous "Anonymous" group, don't necessarily want your personal data for any type of financial gain. As we saw in the 2015 Ashley Madison scandal, some hackers may see it as their personal duty to tell the world your secret(s), especially if you are a political figure, celebrity, or a C-level executive of a major corporation.
From a network security perspective, this is a valuable lesson in mitigating risk. Don't assume that you know what hackers want. It has changed over the past 10 years, and it will change over the next 10 years, too. When you lay out your security plan, assume hackers want everything they can get their hands on, and ask yourself, "What can they get their hands on that I can't afford for them to take?"