Your medical information is worth 10 times more than your credit card number on the black market.
Last month, the FBI told healthcare providers to guard against cyberattacks after one of the largest US hospital operators, Community Health Systems Inc, said suspected Chinese hackers had broken into its computer network and stolen the personal information of 4.5 million patients.
Security experts say cybercriminals are increasingly targeting the US$3 trillion US healthcare industry, which has many companies still reliant on aging computer systems that do not use the latest security features.
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit,” said Dave Kennedy, an expert on healthcare security and CEO of TrustedSEC LLC. “Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
Interviews with nearly a dozen healthcare executives, cybersecurity investigators and fraud experts provide a detailed account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information. Fraudsters use this data to create fake IDs to buy medical equipment or drugs that can be resold, or they combine a patient number with a false provider number and file made-up claims with insurers, according to experts who have investigated cyberattacks on healthcare organizations.
Medical identity theft is often not immediately identified by a patient or their provider, giving criminals years to milk such credentials. That makes medical data more valuable than credit cards, which tend to be quickly canceled by banks once fraud is detected.
Stolen health credentials can go for US$10 each, about 10 or 20 times the value of a US credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cybercrime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
The percentage of healthcare organizations that reported a criminal cyberattack had risen to 40 percent last year from 20 percent in 2009, according to an annual survey by the Ponemon Institute think tank on data protection policy.
Fueling that increase is a shift to electronic medical records by a majority of US healthcare providers.
Healthcare providers and insurers must publicly disclose data breaches affecting more than 500 people, but there are no laws requiring criminal prosecution. As a result, the total cost of cyberattacks on the healthcare system is difficult to pin down. Insurance industry experts say they are one of many expenses ultimately passed onto US citizens as part of rising health insurance premiums.
Consumers sometimes discover their credentials have been stolen only after fraudsters use their personal medical ID to impersonate them and obtain health services. When the unpaid bills are sent on to debt collectors, they track down the fraud victims and seek payment.
The US government’s efforts to combat Medicare fraud have focused on traditional types of scams that involve provider billing and over billing. Fraud involving the Medicare program for seniors and the disabled totaled more than US$6 billion in the past two years, according to a database maintained by Medical Identity Fraud Alliance.
“Healthcare providers and hospitals are just some of the easiest networks to break into,” said Jeff Horne, vice president at cybersecurity firm Accuvant, which is majority-owned by private equity firm Blackstone Group.
KPMG partner Michael Ebert said security has been an afterthought for many medical providers — whether it is building encryption into software used to create electronic patient records or in setting budgets.
“Are you going to put money into a brand new MRI machine or laser surgery or are you going to put money into a new firewall?” he said.
FOREST SITE: A rescue helicopter spotted the burning fuselage of the plane in a forested area, with rescue personnel saying they saw no evidence of survivors A passenger plane carrying nearly 50 people crashed yesterday in a remote spot in Russia’s far eastern region of Amur, with no immediate signs of survivors, authorities said. The aircraft, a twin-propeller Antonov-24 operated by Angara Airlines, was headed to the town of Tynda from the city of Blagoveshchensk when it disappeared from radar at about 1pm. A rescue helicopter later spotted the burning fuselage of the plane on a forested mountain slope about 16km from Tynda. Videos published by Russian investigators showed what appeared to be columns of smoke billowing from the wreckage of the plane in a dense, forested area. Rescuers in
POLITICAL PATRIARCHS: Recent clashes between Thailand and Cambodia are driven by an escalating feud between rival political families, analysts say The dispute over Thailand and Cambodia’s contested border, which dates back more than a century to disagreements over colonial-era maps, has broken into conflict before. However, the most recent clashes, which erupted on Thursday, have been fueled by another factor: a bitter feud between two powerful political patriarchs. Cambodian Senate President and former prime minister Hun Sen, 72, and former Thai prime minister Thaksin Shinawatra, 76, were once such close friends that they reportedly called one another brothers. Hun Sen has, over the years, supported Thaksin’s family during their long-running power struggle with Thailand’s military. Thaksin and his sister Yingluck stayed
‘ARBITRARY’ CASE: Former DR Congo president Joseph Kabila has maintained his innocence and called the country’s courts an instrument of oppression Former Democratic Republic of the Congo (DR Congo) president Joseph Kabila went on trial in absentia on Friday on charges including treason over alleged support for Rwanda-backed militants, an AFP reporter at the court said. Kabila, who has lived outside the DR Congo for two years, stands accused at a military court of plotting to overthrow the government of Congolese President Felix Tshisekedi — a charge that could yield a death sentence. He also faces charges including homicide, torture and rape linked to the anti-government force M23, the charge sheet said. Other charges include “taking part in an insurrection movement,” “crime against the
POINTING FINGERS: The two countries have accused each other of firing first, with Bangkok accusing Phnom Penh of targeting civilian infrastructure, including a hospital Thai acting Prime Minister Phumtham Wechayachai yesterday warned that cross-border clashes with Cambodia that have uprooted more than 130,000 people “could develop into war,” as the countries traded deadly strikes for a second day. A long-running border dispute erupted into intense fighting with jets, artillery, tanks and ground troops on Thursday, and the UN Security Council was set to hold an emergency meeting on the crisis yesterday. A steady thump of artillery strikes could be heard from the Cambodian side of the border, where the province of Oddar Meanchey reported that one civilian — a 70-year-old man — had been killed and