Your Health Care Information Is Insecure — And Extremely Lucrative On The Black Market

This week, a malware attack struck Ukrainian computer systems and quickly spread to tens of thousands of machines across dozens of countries, including the U.K. and the United States. The proliferating computer virus, called Petya, raises the question ― as is often the case when data hacks, breaches and disruptions occur ― of just how safe an end user’s personal information is when it’s on a network.

It’s unclear whether the Ukrainian attackers were motivated by money or mayhem. But money is certainly the motive when it comes to what likely impacts individuals far more than a malware virus: the theft of your personal health records.

TrendMicro, an information security company, has reported that the health care sector is now the preferred target for cybercriminals. The industry, with hospitals leading the way, has been the top target of data breaches, followed by government and retail. In 2015, a total of 113.2 million health care-related records were stolen, the most ever, according to the Department of Health and Human Services.

Ed Cabrera, chief cybersecurity officer for TrendMicro and former chief information security officer for the U.S. Secret Service, told HuffPost that medical records are targeted by cybercriminals because they contain the most comprehensive data and provide multiple selling opportunities for the so-called dark web.

An electronic health record database contains personal information that does not expire ― such as Social Security numbers ― and can be used over and over for malicious intent, Cabrera said.

The cybercriminal underground can cherry-pick the various parts of protected health information records, which include medical histories, test results, health issues past and present, prescription drug use, treatments, methods of payment, home addresses, credit card numbers, health insurance information, Social Security number and birthdate. The data can get right down to the date of your last menstrual cycle.

Thieves can use stolen electronic health records to get prescription drugs, receive medical care and file fake insurance claims. They can exploit Social Security numbers to file fraudulent tax returns, open credit accounts, and obtain official government-issued documents, such as passports and driver’s licenses. They can even create new identities.

The stolen information is usually resold, either as a whole record or piecemeal, on popular dark web marketplaces, including TheRealDeal, AlphaBay, Valhalla, Apple Market, Python Market, Dream Market and Silk Road, according to the TrendMicro report.

Interested cyberbuyers may only want health insurance numbers, which sell for 99-cents each on the underground, says the TrendMicro report. Those who trade in drugs may be interested in your prescription for opioids. Having your email in combination with other proof of identity can enable a thief to have the delivery address changed for mail-order pharmaceuticals or packages ordered online. Those who engage in cyberespionage for a nation-state may pay mightily for sensitive health information about a political or corporate leader. Like any other free market, rates are based on supply and demand, Cabrera said.

Medical records also have a long shelf life. If a thief steals your credit card or bank account number, it’s useful only until the credit limit is maxed out or you report the loss and the account is closed. But some information in a medical record can provide steady long-term income for scammers, Cabrera said.

Credit card companies and banks have vastly improved their ability to protect your data, Cabrera said. Health information systems? Not so much, which makes them a better target, he said, adding that “some” improvements have been made.

The Ponemon Institute, a security research and consulting organization, said in its May 2016 annual study on health care data privacy and security that about half of all health care organizations had little or no confidence that they could detect the loss or theft of patient data, and that the majority lack the budget to secure their data. The study found that most health care organizations haven’t invested in security technologies or staff.

While cyberattacks on the health care industry may pose immediate health risks to patients, with consequences like hospitals closing and procedures needing to be rescheduled, the big concern must include data breaches, Cabrera said.

And realistically, there’s little you can do about it. “Patients are at the mercy of the organizations they interact with,” Cabrera said. If your doctor or hospital wants your driver’s license or Social Security number as a condition of treatment, you’re probably going to turn them over.

Cabrera suggested people use their real-life experience in their virtual life online. If you were traveling in a dangerous location, you would take precautions. Apply that same caution to your interactions with the health care industry. And be careful out there.