The week of April 26, 2015

The real reason hackers want your medical records

By Aaron Sankin

Last November, administrators at Clay County Hospital, a small, 18-bed facility in southeastern Illinois, got the kind of email that gives healthcare workers nightmares. An anonymous message threatened the release of more than 12,000 stolen patient records unless the hospital’s management paid a ransom to buy them back. (Citing an ongoing investigation, Bursich declined to provide the ransom amount, but noted that it was in the “thousands.”) As proof, the email included patients’ names, addresses, birthdays, and Social Security numbers, allegedly culled from the records.

Clay County Hospital marketing manager John Bursich told the Kernel that paying the ransom would have broken federal and state laws. Instead, administrators contacted the Federal Bureau of Investigation. Investigators decided the threat was likely internal—someone who worked at the hospital.

Within a few weeks of receiving the ransom email, the hospital offered free credit monitoring services to any patients potentially affected. As far as Bursich can say, the thief never released the information. At least, no one ever publicly admitted to doing so. “I think the person that did it realized that if they did they would get caught,” he said.

For now, the case has ended happily. But it’s part of a larger and growing problem: As health records are increasingly stored electronically, they’re also more vulnerable to digital theft. In a pre-digital world, the Clay County Hospital thief would have had to make off with a filing cabinet. In 2014, the same information could fit on a thumb drive. Or be hacked through a vulnerable network. Or exposed by a misconfigured Web server.

The permanence of medical data

A report by the medical research firm Kalorama Information pegs today’s electronic medical record industry at $25 billion and predicts 7 to 8 percent growth in the coming year. As more hospitals upgrade their computer systems, they’ll likely transition to electronic records, which are often touted as more efficient. But healthcare providers in the United States are also spurred by government regulations in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which offered financial incentives for using electronic records until 2015 and will impose penalties thereafter.

Nearly one in eight Americans have had their medical records in some way compromised.

As medical records have gone digital, however, identity thieves have spotted opportunity. Since 2010, incidents of medical identity theft have doubled, according to a survey conducted by the privacy-focused Ponemon Institute. And according to a recent report by the Identity Theft Resource Center, in the first four months of 2015, one third of all data breaches occurred in healthcare: 82 instances exposing over 1.7 million records. Using some back-of-the-envelope calculations, Modern Healthcare estimated that nearly one in eight Americans have had their medical records in some way compromised. It’s no wonder that the Ponemon Institute found that 68 percent of survey respondents weren’t confident their healthcare provider was taking the necessary steps to protect their information.


Ponemon Institute

 And while hacker attacks on healthcare providers have doubled between 2010 and 2013, according to a Journal of the American Medical Association study, digital medical records can easily proliferate as they’re copied to patients’ computers and smartphones, where they become even easier targets for thieves.

There’s a creepiness factor in imagining databases of colonoscopy records being traded online. Some might even find that more disturbing than a leaked Social Security number. (That’s one reason why, when health insurer Anthem was hacked earlier this year, exposing the personal information of nearly 80 million customers, the company tried to reassure the public that no actual medical information had been stolen.) But Eva Velasquez, president of the Identity Theft Resource Center, which receives financial support from credit-monitoring service IDT911, says the real problem is identity theft. 

“You may be personally offended that someone would know that much about your health history, the conversations you’ve had with your physician about your sex life, or that you can’t sleep at night,” Velasquez said. “But thieves can’t really monetize that unless you’re a very attractive target and there’s something they could blackmail. The data that’s valuable to them are the personal identifiers”—names, addresses, Social Security numbers, and insurance information. That info can be used to obtain credit cards or loans, commit tax fraud, or send fake bills to insurance providers.

That’s why when stolen medical records are sold on online black markets—often “carding” forums based in Russia and Eastern Europe—they can fetch high prices. When cybersecurity researchers at PhishLabs ran the data for the few medical record listings they were able to find, they discovered the average selling price is 10 to 20 times that of a U.S. credit card number. A stolen credit card is easily canceled, but the information from a medical record can be used repeatedly. For thieves, that makes it much more valuable.

“Compared to financial data, which is usually short-lived, the information in medical records tends to last a lot longer—it’s a lot more sticky,” noted Greg Virgin, the founder of cybersecurity firm RedJack, which advises companies in the medical sector on how to protect patient information. When Virgin sat down with NPR earlier this year, he found someone selling a bundle of information that included 10 Medicare numbers for around $4,700.

Healthcare in the industry is often outdated and insecure; one company was hacked using the famous Heartbleed vulnerability months after it was discovered.

“I told one small company that we work with that the black market value of their patient records is actually greater than the value of their company. Much greater, in fact,” Virgin said. Holding valuable records can make companies a target for thieves; that can be a big risk, Virgin adds, especially for smaller companies, who “are just going to go out of business if they get breached.”

Digital Whack-A-Mole

Victims of medical identity theft can find it hard to restore a sense of security to their lives. There’s no centralized repository for medical records, so thieves can simply hop from one healthcare provider to the next, making one fake claim after another. It often “feels like they’re playing a game of Whack-A-Mole,” Velasquez said. 

It’s an expensive game. The Ponemon Institute survey found it cost an average of $13,500 and 200 hours for victims to rectify the consequences of medical identity theft; even then, only 10 percent of respondents said they were satisfied with the results.

It can also cost victims more than just time and money. In a recent survey conducted by the Medical Identity Fraud Alliance (MIFA), a healthcare industry trade group, 52 percent of victims said their information was used to obtain government benefits like Medicare or Medicaid. And 59 percent had their identity used to obtain healthcare, while 56 percent said a scammer parlayed their data into prescription drugs or medical equipment. 

Ann Patterson, program director at MIFA, says that kind of impersonation can corrupt a victim’s health record. “It can be things like incorrect blood type, incorrect allergy information, not the right kind of medications, conditions, or diseases that the you have and the thief doesn’t have or visa versa,” she said. Patterson couldn’t offer data on how often this happens but said a corrupted medical history could lead to delays, misdiagnosis, and incorrect treatment.

For identify theft victims, getting their lives back can feel like playing a game of Whack-A-Mole with thieves.

The 1996 Health Insurance Portability and Accountability Act (HIPAA) and 2009’s HITECH Act established fairly straightforward rules about medical providers’ obligations in the event of a breach of patient or customer data. If it affects more than 500 people, healthcare providers must report the incident to the Department of Health and Human Services, notify all of the individuals involved, and send out a press release. If fewer than 500 people are affected, providers are only obligated to include the breach in an annual report to the government and notify the affected individuals. Yet, according to the Ponemon Institute’s survey of medical identity theft victims, only about one quarter were directly notified.

 how_i_learned_about_medical_identity_theftPonemon Institute

HIPAA may not cover the organizations that increasingly know everything about us: giant Internet companies. In 2008, Google Health debuted as a repository for electronic health records. According to the platform’s terms of service, “Google is not a ‘covered entity’ under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder.” Under Google’s terms, HIPAA did not regulate the transmission of health information by the company to any third party. “When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services,” the terms of service read. Rather than being bound by HIPAA, Google Health would adhere to its own “Google Health Privacy Policy, your Sharing Authorization, and applicable law.” The project was shuttered three years later.

Since then, the collection and storage of digital health data has only increased, but the law hasn’t changed. In a letter accompanying the Journal of the American Medical Association study, doctor David Blumenthal and lawyer Deven McGraw wrote: 

Congress enacted HIPAA before the Internet and before current electronic methods for recording and transmitting data existed. As a result, the law does not regulate the use of personal health information by digital behemoths, such as Apple, Google, Facebook, and Twitter, that are already collecting (intentionally or not) health-related data on patients and could become major custodians of such data in the near future. That fact that HIPAA regulates only certain entities that hold health data, rather than regulating health data wherever those data reside, seems illogical in today’s digital world.

Of course, even those entities regulated by HIPAA aren’t always the best stewards of electronic health information. Technology in the industry is often outdated and insecure; HIPAA doesn’t require that patient data be encrypted, for example, and most companies don’t bother. The combination of yesterday’s technology and plaintext records makes a tempting target for hackers.

And record keepers so far have found little impetus or inclination to beef up their security. Last August, hackers stole 4.5 million patient records from the Community Health Systems  hospital chain using the Heartbleed vulnerability. The bug affected massive swaths of the Web, including sites like Yahoo, Airbnb, and Tumblr. Its discovery months earlier had sparked a major publicity campaign to get both system administrators and everyday Internet users to take the relatively straightforward steps necessary to protect themselves. Yet CHS had not patched its systems for months, leaving patient records vulnerable. Dr. Vincent Berk of network security firm FlowTraq told InformationWeek that “either [Community Health Systems] didn’t care or they’re just not qualified” to manage their systems.

A stolen credit card is easily canceled, but the information from a medical record can be used repeatedly.

RedJack founder Virgin says HIPAA provides a framework for addressing risk without offering specific guidance. “[RedJack has] gone through some of the HIPAA stuff, and we’re familiar with a lot of those policies,” he said. “Given our understanding of the advanced threats that are out there, those standards are not addressing the actual threat. They’re facilitating progress, but just following HIPAA isn’t enough to protect a company’s data.”

Patterson, the Medical Identity Fraud Alliance program director, says the medical community must work together to make all of their systems more secure. In a stark contrast, the finance industry has successfully created noncompetitive spaces in which to share cyberthreat information.

“They’ll share very, very detailed information about their businesses with competitors with the goal that that competitor doesn’t get hacked in the same way,” Patterson said. “In healthcare, everybody is still doing their own thing.”

Until the industry acts together to solve the problem, individuals will have to remain vigilant. Most people realize their medical identity has been stolen by noticing errors in their health record, medical invoices, or benefit explanation letters. Knowing that medical identity theft is just as real as credit card fraud should give people a reason to scrutinize the documents from their healthcare providers as closely as they do their credit card statements. Regularly checking medical records, whether through an online portal or by asking providers directly, can help patients spot potential fraud. (Anyone with concerns should contact their providers or reach out to the Identity Theft Resource Center.)

But there’s only so much individuals can do; noticing your identity has been stolen means it’s already too late. Actually preventing identity theft falls to those many companies now responsible for safeguarding it. And so far, their record in doing so doesn’t offer much cause for optimism. 

Illustration by J. Longo