Home Tell a Friend! Contact ICFE Link Exchange Search ICFE Subscribe ICFE About the ICFE
ICFE News Releases ICFE in the News Children and Money Financial Education Personal Financial Counseling with Paul S. Richard, RFC Credit Card Tips Credit File Correction Mending Spending Links and Resources Order Options

ICFE eNEWS #16-21 - July 10th 2016

Medical Records Bring a Premium Price on the Dark Web

By Yan Ross, Director of Special Projects, ICFE

By any measure, there has been an epidemic of data breaches involving medical records in the United States. According to reports from both public and private sources, the Personal Health Information (PHI) files of nearly half of all Americans have been affected.*

What attracts hackers to focus on medical records, as opposed to credit cards or other personally identifiable information? They must have been reading up on Willie Sutton, the infamous bank robber who famously said, in response to the question of why robbed banks: "That's where the money is."

While it's true that the money may be in banks, in today's marketplace, even more valuable information for re-sale appears to be in the medical records of an unsuspecting public.

How valuable are medical records? It depends on which source is reporting. A diligent search of internet sites shows a broad range of estimates, anywhere from $60 to $450 for a complete profile including sensitive patient information. Of course, since it's a "black market," the accuracy of this pricing information is by its nature uncertain. Credit card accounts, in contrast, may bring only $10-20 per record in bulk amounts.

There are various apparent reasons for this disparity. Chief among them are the deeper experience and lesser exposure financial institutions have than medical facilities in dealing with these threats. Credit cards and bank accounts can be cancelled and replaced almost immediately, while medical records tend to be much more complicated and difficult to start fresh. Actions of third parties, such as insurance companies, are also much more likely with medical issues than financial ones. Very large costs for fraudulently obtained medical services are common.

Reports indicate that the trade in medical records is carried out through relatively inaccessible channels, such as the "dark web," where encryption and restricted access prevent effective monitoring and prosecution by law enforcement. Payment systems such as Bitcoin are also used, to avoid detection and intervention.

Given the inability to recapture the "horse once it has left the barn," the most effective means of responding to this challenge is prevention.

For the holders of Personal Health Information, mainly providers of medical services and others with legitimate access such as insurers, appropriate security measures are well documented. These include staff training and awareness, hardening physical and digital storage and transmission of patient information, compliance with HIPAA and related law and regulation, and regular reviews and updates of relevant policies and procedures.

For consumers, appropriate responses tend to be reactive rather than pro-active. It is reported that most of the parties whose medical records are breached have not even accessed their own medical records, and first learn by notification of the breached organization.

It's even worse to find out at the emergency clinic or operating room, when it comes to light that the patient has erroneous information in his or her medical record. This is sometimes referred to as the "medical identity theft that can kill you," when the diagnosis is skewed by a medical record containing indication of a surgery that was performed previously - though on someone else who was using the victim patient's medical insurance.

In the event of a breach notification, it is important to read the terms carefully. It is common for the breached organization to offer the consumer free enrollment in an identity theft monitoring and remediation service. Where medical records are involved, the service should include monitoring medical information as well as credit records.

In order to assure assistance and avoid being precluded from making any claims for actual damages from the breach, it is highly advisable for the consumer to register with the offered service. The consumer may think of this registration as a carrot and a stick: the positive aspect is receiving the monitoring and remediation service; the negative is suffering a loss with no remedy.

Taking the appropriate steps to manage the risk of medical identity theft will work as a deterrent to identity thieves as well: if they find you are prepared to defend the confidentiality of medical records, they will likely move on to find easier pickings and leave you alone.

More information is posted online.

* More than 113 million medical records were hacked in 2015 alone, according to data compiled by the Health and Human Services. A newly released report from the Institute for Critical Infrastructure Technology, a cybersecurity think tank, found that some 47% of Americans have had their medical record hacked in the past 12 months.

The ICFE's Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now available both in printed format and online.

The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at yan.ross@icfe.info

Yan Ross Bio PhotoYan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.

Paul S Richard PhotoICFE eNEWS is available FREE upon request by visiting our Web site and filling out the contact form, and selecting "Yes" for "Add to Mailing List. Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org

Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

About the ICFE:

The Institute of Consumer Financial Education (ICFE) was founded in 1982 by the late Loren Dunton (creator of the Certified Financial Planner (CFP) designation).  The ICFE is dedicated to helping consumers of all ages to improve their spending, increase savings and use credit more wisely. 
The ICFE is an award winning, nonprofit, consumer education organization that has helped millions of people through its education programs and Resources. It publishes the Do-It-Yourself Credit File correction Guide, which is updated annually. The ICFE has distributed over one million Credit/Debit Card Warning Labels and Credit/Debit Card Sleeves world wide.

The ICFE became an official partner with the Department of Defense/Financial Readiness Campaign in June of 2004.The ICFE was an active partner in the California Student Debt Resource Awareness Project (CASDRAP) which resulted in a new web site: (studentdebthelp.org).  CASDRAP disbanded in 2010, shortly after the web site project was completed.  In 2011 the ICFE assumed the single sponsorship of the (studentdebthelp.org) web site and is now responsible for its content and operation.

The ICFE is also an on-line help for consumers who spend too much.  ICFE's spending help was featured in PARADE Magazine in the Intelligence Report section. The money helps and tips are from the ICFE's Money Instruction Book, our course in personal finance.

Visit the ICFE's other web sites at: www.financial-education-icfe.org and studentdebthelp.org.  Both sites helps consumers and students with mending spending, learning about the proper use of credit, budget and expense guidelines, how to set up and implement a spending-plan and also how to access financial education courses and how to teach children about money. Other ICFE services include: Ask Mr. G,  a free eNews, and an online resource center for students, parents and educators, plus financial education learning tools and a book store.

Home ] ICFE News Releases ] ICFE in the News ] Children and Money ] Financial Education ] Resource Center ] Credit Card Tips ][ Credit File Correction ] Mending Spending ] Links and Resources ]  [ Online Store ]


Copyright ©  1997 - by Paul S. Richard
and the Institute of Consumer Financial Education, All Rights Reserved.
View our
Privacy Policy Our Terms and Conditions

Institute of Consumer Financial Education
PO Box 34070
San Diego, Ca 92163
Paul S. Richard, Executive Director
Phone 619-239-1401

FAX 619-923-3284

Questions for www.financial-education-icfe.org Click to go to Website Contact Us or 
Website Design Donated by Desgn School Programs

Please Tell An Associate, Friend or Family Member About the ICFE