Why Are Hackers Targeting Your Medical Records?

March 2nd, 2017

Theft of Medical records is booming. Over the past few years, large scale breaches have become more common and increasingly severe. Last year in June, a hacker named thedarkoverlord was selling 650,000 US healthcare records as part of a long-running crime spree. The collection was listed on a deep web marketplace called the Real Deal for over $700,000 worth of Bitcoin.

A cancer treatment provider called 21st Century Oncology had 2.2 million patients records compromised in late 2015. The stolen data included patient names, the names of their doctors, social security numbers, insurance information, diagnoses and treatments. The company was required to notify all of the affected patients and they have also offered free credit protection for one year as partial compensation. 

This is just the tip of the iceberg. According to Bitglass, 113 million Americans were affected by healthcare data breaches in 2015. This is almost 10 times more than the previous year. The IDC’s Health Insights group predicted that one in three patients would be the victim of a breach in 2016. This trend is likely to continue or even intensify over the coming years.

Theft of Medical Records

The Rise of Theft of Medical Records

There were over 230 healthcare breaches that impacted more than 500 people in 2015, according to the US Department of Health and Human Services Office for Civil Rights. The same organization stated that between 27.8 million and 67.7 million people have had their medical records stolen since they started keeping data in 2009.

For a variety of reasons, the medical sector has been the biggest target for hackers since 2012. According to the Identity Theft Resource Center, it accounted for 42.5% of all breaches in 2014. Incidents of medical identity theft have risen alongside these breaches. A Ponemon Institute Study showed that there was a 21.7% rise in medical identity theft in 2014, bringing the total number of incidents to 2.3 million over the previous five years.

Part of this growth can be attributed to the recent digitization of medical files. As part of the Affordable Care Act, many hospitals and other organizations have been moving towards electronic health records for ease of access. The downside of this is that it centralizes the records in databases, many of which are poorly secured. This has made them a prime target for hackers.

Big Companies May Be Bigger Targets, But Small Businesses Are Easy Game

It may seem logical to go after the companies with the most data, but huge enterprises have much larger budgets and greater pools of human resources. Small companies are often much easier targets, because they can’t employ the same level of security as their larger counterparts.

The US Office for Civil Rights (OCR) has also begun investigating smaller breaches. Prior to August 2016, they only looked into breaches when the data of more than 500 individuals was exposed. These investigations could lead to small businesses being fined and receiving other penalties that they could previously avoid. 

Why Do Criminals Want Medical Records?

Why do hackers care about the rash someone had in 2007, or the results of a blood test from last year? No, they aren’t looking to offer free diagnoses–it’s all about money. Medical records are extremely valuable for a wide range of purposes.

They Contain an Extensive Amount of Data

Medical records contain lots of information. Normally they include a person’s full name, address, contact information, social security number, insurance details, the name of treating physicians, diagnoses, prescriptions, treatments and more. When this information is used for fraud and other scams, criminals can make significant sums of money. This return on investment has led them to sell for around $60 each, according to NBC News.

The Value of Credit Card Data Has Fallen

For a long time, stealing credit card numbers was the go-to scam for online criminals. In recent years the value of credit card numbers has fallen and hackers have found more lucrative options instead. In 2008, a Symantec report revealed that credit card numbers were being sold for anywhere between 40¢ and $20. Cards from Europe or smaller companies were valued at the higher end of the scale due to their scarcity.

Other data can be sold for much more. In deep web marketplaces, “information” is commonly sold per line. According to a 2015 Trend Micro report, prices have fallen from $4 per line in 2014 to just $1 per line. This is mainly due to an oversupply in the market. Full credit reports with high FICO scores can go for $25 each, while scanned documents such as licenses, bills and passports can go for between $10 and $35. Log-in credentials for bank accounts can sell between $200 and $500.

Overall, the demand for credit card information is shrinking because it is more limited in use than other personal identifiable information. Credit card companies generally foot the bill for any fraud, which has caused them to bump up their security measures. Chip and pin technology has helped to reduce thefts, while active monitoring means that companies quickly detect any fraud. Log-in credentials for bank accounts are worth much more because thieves can steal a larger amount before the bank notices. Medical records are also more versatile than credit card numbers, which has seen fetch significantly higher prices.

Healthcare Records Can Be Used For a Wide Range of Fraudulent Activities

If healthcare data falls into the wrong hands, it can be used for a variety of sinister purposes. A scammer can use the information to open bank accounts, apply for credit cards or loans, collect rebates or even file tax returns. They can also use the information to fill prescriptions, commit insurance fraud or for medical identity theft.

This data can also be used for harassment or even blackmail. If a famous person’s medical records are stolen, criminals could use the information to extort significant sums of money. Likewise, they could threaten a CEO that they will reveal a hidden diagnosis to the board unless they pay up.

Your Healthcare Data Can’t Be Changed

If your credit card data gets stolen it can be a pain to deal with, but once you cancel the card, the thieves can’t steal any more money. With medical records and the personal information within them, much of it doesn’t change. Few people are willing to change their name, address or sex if their records have been exposed. They certainly can’t change their medical history.

The permanence of medical records and personal information means that it can be exploited for a much longer period of time. Criminals can use it to commit medical identity theft and other fraud for years, resulting in a much greater return on investment than stolen credit cards. This can cause huge headaches for victims, who often spend years of their life and thousands in legal fees trying to clear up the matter. According to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft, 65% of medical identity theft victims said that they spent an average of $13,500 and more than 200 hours of their time to recover from the incident.

The thief”s fraudulent activities can even lead to false information recorded on a medical file–this is potentially deadly and incredibly hard to fix. Ann Patterson, the senior vice president of the Medical Identity Fraud Alliance (MIFA), said that around 20% of medical identity theft victims received the wrong diagnosis or delayed treatment because of fraud.

What Do Healthcare Organizations Have to Fear?

A significant data breach could lead a company to ruin. According to the Ponemon Institute, the average cost is $2.1 million. In the event of a breach, companies will have to notify those who were affected. They may also face government penalties and even potential lawsuits from the victims. A serious breach can also leave a brand’s reputation in ruins, severely affecting its future income.

The Anthem hack was one of the biggest breaches of all time. It affected close to 80 million people and could cost the company over $100 million to clean up. Sure, Anthem is a billion dollar company, but a breach of comparable magnitude can be enough to sink many businesses.

Medical records are versatile and valuable, making them a huge target for hackers. If healthcare organizations want to keep safe, they need to ensure that they have sound security processes protecting their sensitive data. Without the right security in place, all it takes is one bored hacker to affect millions of patients and completely destroy a company’s future.