NEW YORK/BOSTON – A person’s medical information can be worth 10 times more than a credit card number on the black market.
Last month, the FBI warned health care providers to guard against cyberattacks after one of the largest U.S. hospital operators, Community Health Systems Inc., said Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cybercriminals are increasingly targeting the $3 trillion U.S. health care industry, where many companies use aging computer systems that lack the latest security features.
“As attackers discover new methods to make money, the health care industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on health care security and the CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen health care executives, cybersecurity investigators and fraud experts provided a detailed account of the underground market for stolen patient data.
The data for sale include names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use these data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyberattacks on health care organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for $10 each — about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cybercrime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
The percentage of health care organizations that have reported a criminal cyberattack has risen from 20 percent in 2009 to 40 percent in 2013, according to an annual survey by the Ponemon Institute think tank on data protection policy.
Founder Larry Ponemon, who is privy to details of attacks on health care firms that have not been made public, said he has seen an increase this year in both the number of cyberattacks and number of records stolen in those breaches.
Fueling that increase is a shift to electronic medical records by a majority of U.S. health care providers.
Marc Probst, chief information officer of Intermountain Healthcare in Salt Lake City, said his hospital system fends off thousands of attempts to penetrate its network each week. So far it is not aware of a successful attack.
“The only reason to buy that data is so they can fraudulently bill,” Probst said.
Health care providers and insurers must publicly disclose data breaches affecting more than 500 people, but there are no laws requiring criminal prosecution. As a result, the total cost of cyberattacks on the health care system is difficult to pin down. Insurance industry experts say they are one of many expenses that are ultimately passed onto Americans as part of rising health insurance premiums.
Consumers sometimes discover their credentials have been stolen only after fraudsters use their personal medical ID to impersonate them and obtain health services. When the unpaid bills are sent on to debt collectors, they track down the fraud victims and seek payment.
Ponemon cited a case last year in which one patient learned that his records at a major hospital chain were compromised after he started receiving bills related to a heart procedure he had not undergone. The man’s credentials were also used to buy a mobility scooter and several pieces of medical equipment, racking up tens of thousands of dollars in total fraud.
The government’s efforts to combat Medicare fraud have focused on traditional types of scams that involve provider billing and overbilling. Fraud involving the Medicare program for seniors and the disabled totaled more than $6 billion in the last two years, according to a database maintained by Medical Identity Fraud Alliance.
“Health care providers and hospitals are just some of the easiest networks to break into,” said Jeff Horne, vice president at cybersecurity firm Accuvant, which is majority-owned by private equity firm Blackstone Group. “When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems — Windows systems that are 10-plus years old that have not seen a patch.”
KPMG partner Michael Ebert said security has been an afterthought for many medical providers, whether it is building encryption into software used to create electronic patient records or in setting budgets.
“Are you going to put money into a brand-new MRI machine or laser surgery, or are you going to put money into a new firewall?” he said.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.