A Year of Rampant Tax Fraud

There must be something in the water this year. There has been an epidemic of tax fraud that has affected employees of several healthcare organizations. And it now seems like cybersecurity experts are getting to the root cause of how this was done.

In the news lately was a data breach that occurred at the University of Pittsburgh Medical Center (UPMC). After weeks of what seemed like agonizing analysis and discovery, officials there have determined that around 27,000 of their employees were impacted by a cyberattack, as noted in an article by the Pittsburgh Post-Gazette. Now to make things worse, there has been a lawsuit seeking class-action status on behalf of the 62,000 UPMC employees filed against UPMC by Michael Kraemer, a Pittsburgh attorney.

In a recent article by KrebsOnSecurity, Mr. Krebs has delved into how cybercriminals may have succeeded in breaching numerous healthcare organizations and acquiring information including names, social security numbers, birthdates and pay information of employees. While this may not have been the means by which UPMC was breached, he discovered that hackers were able to obtain valid credentials from several healthcare organizations for their third party payroll and HR management system, called UltiPro.

The potential organizations impacted by this scheme include several that were listed in “a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W-2 forms for all employees.” [Tax Fraud Gang Targeted Healthcare Firms, KrebsOnSecurity, April 14, 2014]. Among the organizations listed in that panel were Plaintree, Inc., Griffin Faculty Practice Plan as well as senior living facilities including SL Bella Terra LLC and Swan Home Health LLC.

This cybercrime scenario exposes several interesting twists in terms of the challenges of maintaining privacy for the personal information of health patients. The UPMC attack highlights the intrinsic value of personal information, in this case, to perpetrate tax fraud. As well, it may be an indicator that cybercriminals may consider healthcare organizations as the “slowest antelope” in the cyber jungle. This perspective would potentially be validated by the significant growth in malicious breaches in healthcare this past year [Ponemon Institute, Fourth Annual Benchmark Study on Patient Privacy and Data Security, March 2014].

In this study, they drew the conclusion that “criminal attacks on healthcare organizations increased 100%.” Sadly, it also noted that “nearly 70% of respondents believe the Affordable Care Act has increased or significantly increased the risk to millions of patients, because of inadequate security.”

The UltiPro system hack also illustrates how there is vulnerability to information in the “cloud” or in other managed applications and systems outside of the healthcare organization itself, but that the vulnerability can lie with the user of the system in the HR department of the healthcare provider, in compromising their valid access credentials. Acquiring such credentials can happen in many ways, among them phishing attacks and other socially engineered approaches to implanting malware of the user’s computer.

So this illustrates that information entrusted to the business associates of healthcare organizations such as payroll processors, among a wide variety of outside data and application services, can be compromised not by attacking the third-party service itself, but rather in targeting their users within healthcare providers. This type of threat is one that the providers need to specifically address within their security risk analysis process. As is often said people, not technology, represent the weakest link in security.