Medical data was the most popular target for hackers last year and those numbers will surge to new highs in 2015
While 2014 drew attention as the year of the credit card breach –Home Depot, P. F. Chang’s, Neiman Marcus and Sally Beauty were just a few – some hackers are passing over retailers and zeroing in on different targets in 2015.
Health records have always been vulnerable to rogue employees and careless works losing unencrypted laptops but a recent study1 by the Ponemon Institute shows the number one risk is now cyber criminals.
In February, when Anthem Inc., the nation’s second largest health insurer, announced that it had been hacked, an estimated 80 million customers and employees lost data. The company was quick to point out that medical records had not been compromised.2 Those remarks were offered to soothe outraged customers but the list of stolen data is far more alarming than photos from a recent colonoscopy. The tally included Social Security numbers (SSN), names, dates of birth, addresses, and health insurance data for starters. Anthem employees even lost salary information.
That’s a bucket of data far more valuable and dangerous than the results of recent blood tests. It’s a dream list for any would-be hacker – a top prize that will bring the highest payments from bidders on the Dark Web.
Single Breach Shows Full Range Of Possible Frauds
Anthem victims have already reported cases of tax refund ID theft. Their data was stolen last February. That’s ‘prime time’ for filing fraudulent tax returns. For many honest taxpayers, news of the fraud only arrived after legitimate tax filings bounced back as duplicates.
Unlike credit cards, victims cannot replace a SSN or DoB. It’s possible these victims will also experience fraud from payday loans, bogus utility accounts and rent-to-own agreements set up in their names. In many cases, the victims won’t discover the abuse unless their personal data is being constantly monitored. Coverage should include checks of subprime loans like payday loan companies.
Email addresses were also compromised. Those have a value too. If you’ve ever had your email address abused, you’ve witnessed the deluge of spam and phishing emails that can flood your Inbox. While credit card numbers weren’t part of Anthem’s breach, hackers could try some phishing emails to trick victims into revealing that data or other banking info. It’s scary to know that phishing emails do really work – up to 90% of the time according to a 2014 report3 from Verizon Enterprise Solutions.
“The revelation (last year) that a phishing campaign of only ten messages has a better than 90% chance of getting a click was surprising to many of us,” the team wrote in its 2012 study. Those results were again confirmed for 2013.
Finally, there’s the issue of stolen health insurance ID numbers. That means this breach could become a prime breeding ground for medical identity theft, too.
What Is Medical ID Theft?
Imagine a trip to the emergency room next weekend. Imagine being told that your benefits for the year have been exhausted. That’s what medical ID theft can do.
It’s a problem that is growing at an alarming rate. According to another study by Ponemon — the Fifth Annual Study On Medical Identity Theft 4 — the number of health-related ID theft cases in 2014 increased by 22%. That’s on top of a 19% surge the previous year.
Here’s how it works: Someone uses your health insurance data to obtain services or prescription drugs. If you have modest policy limits, exhausting your annual benefits or yearly limit on certain procedures is entirely possible. Yet that’s not the worst element of this abuse.
When two patients use the same health ID, their medical details blend together. Ponemon’s report indicated that the average victim incurred $13,500 in bills or attorney’s fees to fight the charges and spent over 200 hours fixing their files5. Unlike a stolen credit card, there’s no $50 limit on your liability; you’re at the mercy of the provider if someone abuses your ID incorrectly.
Damage to your health can exceed the damage to your wallet however. The report documented cases where a patient received the wrong drugs, experienced a delay in receiving care or was ordered the wrong treatment due to data contamination in the file. Some patients received an entirely wrong diagnosis as a result. This sort of medical identity theft could create mistakes in your history including blood type and known drug allergies. Some victims even reported losing their employment as a result of medical ID theft.
The Value Of Health Records Is Clear
Symantec recently documented that healthcare data breaches accounted for 37% of all losses in 20146. This year will top that figure. It’s clear why hackers want these health-related files; they’re packed with data that can be monetized easily in numerous ways. Ready to fight back?
If you’re part of a breach like Anthem’s or Community Health Services’ hack in 2014, you should be vigilant in monitoring your SSN and other personal data. Also check your health insurance statements (EOBs) carefully for errors, tests you never received and other red flags.
If you’ve escaped the recent rash of health data breaches, it’s wise to limit what you share and ask your providers to delete data on file they really don’t need. Ask whether their files are encrypted; technology can limit the reuse of stolen data but many providers have been slow to adopt encryption.
For decades, doctors and hospitals have requested SSNs and other personal data you can’t replace. As a patient, you probably provided it without a second thought but that time has passed. Instead, ask if your SSN is really needed (it’s usually not) or ask how long the provider will obtain that copy of your driver’s license they just made. Increasing awareness of the need to secure your personal data is everyone’s job. Inquires now could save you a data-induced headache later.
If you’ve experienced medical identity theft or a health care breach, send your story to firstname.lastname@example.org. Your case study could help others avoid similar headaches.
- Ponemon: http://www.ponemon.org/blog/criminal-attacks-the-new-leading-cause-of-data-breach-in-healthcare
- Anthem Breach Blog: https://www.anthemfacts.com/pdf/Revised+Subsitute+Notice+(5-7-15).pdf
- 2014 Verizon DBI report: http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf
- Ponemon Fifth Annual Study On Medical Identity Theft, April 2015
- Fifth Annual Study on Med. ID Theft, pg. 2.