ICFE eNEWS #16-21 - July 10th 2016
Medical Records Bring a Premium Price on
the Dark Web
By Yan Ross, Director of Special Projects,
By any measure, there has been an epidemic of data breaches involving
medical records in the United States. According to reports from
both public and private sources, the Personal Health Information
(PHI) files of nearly half of all Americans have been affected.*
What attracts hackers to focus on medical records, as opposed
to credit cards or other personally identifiable information? They
must have been reading up on Willie Sutton, the infamous bank robber
who famously said, in response to the question of why robbed banks: "That's
where the money is."
While it's true that the money
may be in banks, in today's marketplace, even more valuable information
for re-sale appears to be in the medical records of an unsuspecting
How valuable are medical records? It depends on which
source is reporting. A diligent search of internet sites shows a
broad range of estimates, anywhere from $60 to $450 for a complete
profile including sensitive patient information. Of course, since
it's a "black market," the accuracy of this pricing information
is by its nature uncertain. Credit card accounts, in contrast, may
bring only $10-20 per record in bulk amounts.
There are various
apparent reasons for this disparity. Chief among them are the deeper
experience and lesser exposure financial institutions have than
medical facilities in dealing with these threats. Credit cards and
bank accounts can be cancelled and replaced almost immediately,
while medical records tend to be much more complicated and difficult
to start fresh. Actions of third parties, such as insurance companies,
are also much more likely with medical issues than financial ones.
Very large costs for fraudulently obtained medical services are
Reports indicate that the trade in medical records
is carried out through relatively inaccessible channels, such as
the "dark web," where encryption and restricted access
prevent effective monitoring and prosecution by law enforcement.
Payment systems such as Bitcoin are also used, to avoid detection
Given the inability to recapture the "horse
once it has left the barn," the most effective means of responding
to this challenge is prevention.
For the holders of Personal
Health Information, mainly providers of medical services and others
with legitimate access such as insurers, appropriate security measures
are well documented. These include staff training and awareness,
hardening physical and digital storage and transmission of patient
information, compliance with HIPAA and related law and regulation,
and regular reviews and updates of relevant policies and procedures.
For consumers, appropriate responses tend to be reactive rather
than pro-active. It is reported that most of the parties whose medical
records are breached have not even accessed their own medical records,
and first learn by notification of the breached organization.
It's even worse to find out at the emergency clinic or operating
room, when it comes to light that the patient has erroneous information
in his or her medical record. This is sometimes referred to as the "medical
identity theft that can kill you," when the diagnosis is skewed
by a medical record containing indication of a surgery that was
performed previously - though on someone else who was using the
victim patient's medical insurance.
In the event of a breach
notification, it is important to read the terms carefully. It is
common for the breached organization to offer the consumer free
enrollment in an identity theft monitoring and remediation service.
Where medical records are involved, the service should include monitoring
medical information as well as credit records.
to assure assistance and avoid being precluded from making any claims
for actual damages from the breach, it is highly advisable for the
consumer to register with the offered service. The consumer may
think of this registration as a carrot and a stick: the positive
aspect is receiving the monitoring and remediation service; the
negative is suffering a loss with no remedy.
Taking the appropriate
steps to manage the risk of medical identity theft will work as
a deterrent to identity thieves as well: if they find you are prepared
to defend the confidentiality of medical records, they will likely
move on to find easier pickings and leave you alone.
* More than 113 million medical records
were hacked in 2015 alone, according to data compiled by the Health
and Human Services. A newly released report from the Institute for
Critical Infrastructure Technology, a cybersecurity think tank,
found that some 47% of Americans have had their medical record hacked
in the past 12 months.
The ICFE's Certified Identity Theft
Risk Management Specialist ® XV CITRMS® course is now available
both in printed format and online.
The Textbook and Desk
Reference edition of the course book is also
online. Bulk pricing and discounts for veterans and students
available. Inquire at firstname.lastname@example.org
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.