When we think of data breaches, what jumps to mind are the ones that most immediately, directly and monetarily affect us – financial data breaches. The Capital One data breach, one of the biggest data breaches ever, exposed approximately 100 million customer accounts and credit card numbers. These types of breaches add fuel to the fire given many of us have experienced fraudulent credit card charges. Yet, this knee-jerk reaction obscures the fact that healthcare has become the most breached and attacked industry. The fact is the black-market value of medical records is significantly higher than other types of records.
The Cost of Breached Records
While social insurance numbers are worth approximately $1 and credit cards numbers approximately $100, medical records can fetch as much as $1000 on the black market. The higher black-market value of medical records also mirrors the cost of breaches that fall on the company. While the average breached record costs companies $150 per record, the healthcare sector averaged $429 per record. In terms of the total cost per breach, healthcare averaged $6.45 million, while the second-place financial sector averaged $5.86 million.
Why is the black-market value of medical records so high? Why is their value higher than seemingly more obvious means of profiting from hacking? Healthcare systems contain a mass quantity of data records, which can be used for a longer period of time, at a greater profit. Two common examples are insurance fraud and identity fraud. And the cherry on top: they are often guarded by lower quality security systems. This makes them easier to breach, and often take longer to be discovered.
The Sensitive Information at Stake
To begin with, healthcare providers can hold hundreds of thousands or even millions of medical records in one place. In the American Medical Collection Agency breach in 2019, hackers gained access to more than 25 million medical records. But in addition to the quantity contained in one location, the quality and variety of information contained in medical records is greater than other types of records.
When someone hacks credit card information, they are only gaining one monetizable piece of information with a short shelf-life. Credit card companies quickly alert customers to abnormal charges and clients frequently check the purchases on their card, and any fraudulent use stops once the card is cancelled. Medical records contains a plethora of identifiable personal information. This information can be monetized in less readily detectable ways.
Medical records include different combinations of the following: names, dates of birth, current and previous addresses, phone numbers, emergency contact information, social insurance numbers, insurance and policy numbers, billing and payment information, and medical histories – including diagnosis codes, medication, and possibly even genetic information such as your DNA profile.
Black-Market Use of Medical Records
Because medical records contain so much information, they turn a profit on the black market in several ways. To begin with, the information can be broken up and sold as components. For instance, hackers might want to simply sell off or use the credit card information for a quick profit. The additional information in medical records can also prove more profitable over a longer time period through insurance and medical fraud. Hackers use this information themselves, or sell it to other predatory users, to set up fake medical clinics to file fraudulent insurance claims. Medical information is often used to purchase drugs or medical equipment, or file other forms of fraudulent insurance claims. It is sometimes sold to people without coverage who need surgeries or other procedures. The procedures are then charged back to the victims of medical record theft.
In these situations, the fraudulent activity could go on for months or years without being detected, particularly given the move to “pay-and-chase” insurance systems. Insurance companies quickly pay out claims without oversight and worry about fraudulent use after the fact. In such situations, victims often don’t find out about the fraudulent use of their medical records until debt collectors appear at their door. In one case, a man’s medical records were stolen through a major hospital chain breach. His information was used for a heart procedure and the purchase of a mobility scooter and other medical devices. He didn’t find out until tens of thousands of dollars of claims were changed to his insurance.
The high black-market value of medical records makes them an ideal target for hackers. But how do hackers breach healthcare security systems? In our next installment, we’ll turn to the patterns used to breach medical records.