Some experts say that recently released details about Target’s data breach heighten concerns about the safety of other customer information held by it and other major retail chains.
And health care data stored in pharmacy records may be a prime target for thieves, at Target as well as other pharmacy chains.
If financial information, which is subject to stringent regulatory standards, was stolen, “then everything else is fair game,” Avivah Litan, a fraud analyst with IT research firm Gartner, told Twin Cities Business.
Deborah Peel, a health-privacy expert based in Austin, Texas, who leads the non-partisan Coalition for Patient Privacy, agrees.
“We’ve seen that Target’s data protections aren’t adequate for credit cards,” she said. “Why would we assume they’d be good enough for electronic health information either?”
The Scope of the Breach
In mid-December, after a technology blogger broke the news of a Target data breach, the Minneapolis-based retailer acknowledged that information from up to 40 million credit and debit card accounts may have been accessed between November 27 and December 15.
Then, just last week, Target said the scope of the breach was larger than first believed—and contact information, such as names, mailing addresses, phone numbers, and email addresses, were also exposed for up to 70 million people.
CEO Gregg Steinhafel confirmed in a recent CNBC interview that credit card information was stolen when hackers installed malicious software, or “malware,” on the company’s point-of-sale registers.
The contact information that was stolen appears, however, to have come from a separate database, and Litan said she believes there’s a “strong possibility” that the breach involved the help of an insider at Target, given that hackers were able to access a second system.
Target has not indicated that pharmacy data was exposed, and experts who spoke with Twin Cities Business said they haven't seen any evidence to suggest that it was. On Tuesday, a Target spokesperson said in an e-mailed statement that “the investigation is continuing and we have confirmed what we know to date.”
When asked to clarify whether Target has discovered a breach of pharmacy data, the spokesperson responded: “Given the ongoing nature of the investigation, I don’t have additional details to share at this time.”
Why Hackers May Want Pharmacy Data
Peel, the health-privacy expert, said that so-called “medical identity theft” is a growing concern nationwide, as thieves may gain access to a patient’s health plan number, prescription history, and other personal information, which may be used to defraud health care providers.
“Pharmacy data’s pretty hot,” said Gartner’s Litan, “because they want to get controlled substances and sell them on the black market,” and insurance numbers may be used to bill Medicare for fake tests, among other things.
In fact, such crimes may be more troublesome for victims than financial identity fraud, as it may take several years to discover that someone has stolen your medical identity, according to Peel. Too, an insurance provider may raise a victim’s rates as a result of a fraudulent charge, she said.
Pharmacy data could likely be stolen from a retailer like Target via a similar method used by hackers to access financial information, according to Litan. For example, thieves could potentially install malware on a pharmacist’s computer system.
“Whoever found their way around those systems could easily find their way around other systems,” she said.
Amy Koo—a retail analyst from Boston-based Kantar Retail who closely follows Target—said in a phone interview that there’s no indication to date that hackers were seeking more than financial and contact information from Target, “but there’s always concern for the exposure of other information, especially when you disclose these things to a retailer.”
She’s largely focused on what impact the breach has had on consumer loyalty and trust. While Target has, by her assessment, worked hard in recent weeks to convey to customers that it is working to mend a difficult situation, the company was initially tight-lipped and “may have downplayed the effect that this had on its guests.”
“I think for a retailer that is very focused on a particular type of guest” and commonly touts its ability to establish a trusted relationship with them, “it can be more dangerous for them to be less than forceful about being concerned about the convenience for guests,” Koo said. “They weren’t as candid as they could’ve been.”
Litan believes that Target was likely using reasonable safeguards to protect its financial data, adding that “a broken payment system”—i.e., the point-of-sale system that reads magnetic stripes on credit cards—is too easy to hack.
Others, meanwhile, have been less hesitant to assign blame, with respect to the breach of consumers’ financial information.
“This is a breach that should've never happened,” John Kindervag, vice president and principal analyst at research firm Forrester told Twin Cities Business in an emailed statement. “The fact that three-digit CVV security codes were compromised shows they were being stored”—and storing such credit card codes has “long been banned by the card brands” and by standards set by the PCI Security Council.