February 15, 2017

A Virtual Goldmine: Why Criminals Target Patient Data (Part 2)

Robert Lord

It is no secret that electronic health records (EHRs) are incredibly valuable. One needs to only look at the number of cyber attacks that target healthcare organizations as proof that those records contain extremely valuable patient information.

In the first installment of our two-part series, we explored what makes EHRs so vulnerable to criminals attacking them. Now, we are going to take a closer look at what happens after a healthcare data breach – not from the perspective of a hospital or healthcare organization, but from the perspective of the criminals and their victims. We will examine how longevity and versatility make EHRs so valuable to criminals and how this can ultimately cost the victims thousands of dollars and hundreds of hours of their time.

Better understand your organization's approach to protecting patient data by reviewing our Patient Privacy Primer - knowing where your organization is today can help you better protect patient data for the future.

A Long-Term Asset

One of the reasons electronic health records (EHRs) are so valuable to criminals is that this information contains a complete “ID kit”, everything they need to steal your identity and perform an array of fraudulent crimes. Someone who has had their credit card or bank information stolen can simply cancel the card or dispute the fraudulent charges. On the other hand, when someone has their medical information stolen, they face much more difficult challenges due to the amount of sensitive information encase in medical records that cannot be changed - diagnoses, employment history, financial information, and even sensitive family information.

Furthermore, medical identity fraud is harder to detect than credit card fraud. Oftentimes, the only way for patients to know that they have been a victim of medical identity fraud is if they hear directly from their provider or if they notice suspicious debts during a credit check. This lag in notification or discovery allows criminals more time to abuse the information, selling it repeatedly on the Dark Web and making a profit at the victim’s expense.

7 Common Forms of Illegal Activity

Nevertheless, criminals target patient data because the information is long-lasting; they also target it because it can be used for a wide variety of illegal activities. For example, criminals can use medical information to:

  • Sell patient info repeatedly on the black market, using the profits to fund other activities
  • Obtain expensive medical equipment, prescriptions, or procedures
  • Commit tax fraud
  • Expose or blackmail specific individuals, such as politicians or celebrities
  • Receive medical care
  • Undergo surgery
  • Purchase or sell prescription or controlled drugs

Many of these uses are not mutually exclusive, so a criminal can exploit the information to buy medical equipment and then turn around and sell it to someone trying to obtain prescription drugs, compounding the profits that the criminal can make after stealing a patient’s EHR.

A Valuable Asset

Of course, because it is so long-lasting and versatile, medical information is much more valuable than other types of information. For example, a person’s EHR is worth ten times more than financial information, such as a credit card number. One of the reasons why criminals target patient data is they often sell stolen EHRs in different packages, such as a “fullz” or a “kitz.”

A fullz is a packet that includes a person’s name, date of birth, contract or group number, type of insurance plan, deductible, and co-pay information. It can also include the victim’s social security number, addresses, phone numbers, email addresses and passwords, bank account information, online banking credentials, and credit card information.

Similarly, a kitz is a fullz dossier that also includes counterfeits of the victim’s physical documents, such as an insurance card, social security card, driver’s license, and credit card. Fullz packets cost approximately $500 when sold illegally on the Deep Web, whereas kitz can run as much as $1200.

In a time when the value of stolen a credit card number averages less than $20 on the Deep Web, it is easy to see why criminals have begun targeting people’s medical information more and more, especially because – as we discussed in the first part of the series – EHRs are so vulnerable to attack.

The Real Cost

And all this will disproportionately affect the patient. Healthcare organizations will end up spending a significant amount in the wake of a data breach, but these costs will be relatively short-term compared to the long-term price victim's will pay if their medical information is stolen. Indeed, victims can expect to pay approximately $13,500 in legal fees and fraudulent charges, and they can spend up to 200 hours trying to deal with the matter. This is due in large part to the fact that there are no set requirements a healthcare organization or even the government must meet to help victims of medical identity fraud after their EHRs are compromised.

So often, patients are lost in the bigger picture as healthcare organizations cut budgets to save money. But the stakes of not investing in proper security measures are high because electronic health records represent more than just data; they contain personal and sensitive information that, if stolen, can have a drastic effect on patients, as criminals sell their information repeatedly on the Deep Web, profiting from it for years and years – long after a healthcare organization has recovered from the breach.

Find out how prepared your healthcare organization is when it comes to protecting patient data.  Knowing where you are now can prepare you for the future.

Download Privacy Primer