Fraud and Incident Response

Years ago, I used to manage an intrusion detection program and saw how some government agencies treat intrusion attempts.  The typical response to notificaiton that we had gotten an attack from someone's server was "Did they get anything?"  The indicator was often that if they didn't, it wasn't anything to be worried about.  Now we know that all of those attempts are followed by success because hackers learn from their experiences and get better.  They may not have been trying to "get anything" that a single individual can relate to.  Sometimes they were just mapping the networks and checking for vulnerabilities.  They will be back later.  

But this week I have seen a new variation of the same thing, only this time it is with healthcare information. I got a call from a guy who gave me his name and telephone number and wanted my enrollment information for a visit I had done to a local hospital.  I told him I had given that information when I checked in and was not going to give it to him.  He gave me the "transaction number" for my visit and said, "This is the visit number for that treatment and we need to verify the enrollment information.  You can call this number to verify it."  I went back to my bill which was already paid by this time and the number on it was nothing like the one he had given.  The bill had already been paid.  So, I called the fraud number at Blue Cross, but it turns out Blue Cross has had so many cases because of Anthem, they hired a company to help them.  Their first question was "Did you tell him anything?"  

I said no, and they said, "That's good."  

Wouldn't you like to know the name and number he gave me?  The same question for a question, "Did you give him anything?"  

This circle was getting tighter but nobody was interested in what might be going on in the bigger scheme of things, only that I had not given him anything he might use.  He already had my phone number and knew I had been to the hospital.  So I asked, "Aren't you concerned that he got that information from somewhere inside your own organization?"  Silence.  "We don't have any evidence of that."  I hung up and called Blue Cross directly and got the same reaction from them, though they did seem to be more interested in the broader application of what was only one person who didn't given any information to the person.  They didn't ask for the phone number, name or the transaction number.  They were also happy that I hadn't given him any information.  They were willing to sign me up for credit monitoring for two years, free.  That was nice.  I'm sure some people must think that is worthwhile, but it didn't make me more comfortable about how these massive thefts are being attended to at our health providers.  Somebody else must be looking into that.