In February, hackers gained access to 80 million patient records at Anthem, one of the nation’s largest insurance companies. The Anthem data breach was the industry’s largest to date, and it pointed to the rising trend of medical identity theft and the security vulnerability of the health care industry. As the New York Times reported, health care organizations have become a much bigger target of data theft over the past three years.
Hackers are after information like social security, insurance, and medical ID numbers, as well as personal and clinical information that could be used for medical fraud. This includes addresses, email addresses, diagnoses, and even physical characteristics – information that could let you pretend to be someone else and receive medical treatment. At Anthem, information about medical claims wasn’t stolen, but social security numbers, contact information, and medical information numbers were.
Personal and medical information is valuable because it can be sold on the black market. According to the New York Times, “complete medical records tend to fetch higher prices than credit card numbers,” as much as $250 in one instance. This dwarfs the going rate for credit card numbers, which was as low as 30 cents at the end of last year, since data breaches at big retailers like Target flooded the market.
In addition to medical fraud, information stored in health records can be used to create visas, or for insurance fraud by falsely billing for expensive procedures that were never done. Medical information could also be valuable as ransom ware, where payment is demanded for not revealing medical information. Experts are even asking whether the Anthem breach could be espionage rather than theft. Federal investigators say that hackers could be searching for information on government officials or executives who publicly mask their personal information, but provide real information for health purposes.
According to a 2013 study, 90 percent of healthcare organizations experienced at least one data breach in the last year. The study surveyed 91 organizations and was conducted by the Ponemon Institute, a data privacy research firm. The push for digital health records hasn’t helped matters, making patient information increasingly vulnerable to theft.
Data breaches of electronic health records can happen on many fronts. In the case of Anthem, online hackers penetrated the company’s computer system, but sloppy communication can also be the problem. While there are established protocol, like encrypting patient medical records before emailing between providers, some doctors use their personal email to send confidential information. Health care providers have sharply increased their spending on data security, but experts say they are still far behind the technology used by other industries.
While insurers, hospitals and doctor’s offices are ramping up security, experts say that data theft is a one-way trend. The New York Times spoke with Cameron Camp, a data security researcher for ESET, who said that Anthem’s incident won’t be the last attack on a health care organization. “We’re going to see that style of attack again.”