WHY HACKERS WANT YOUR HEALTH INFORMATION
Data breaches at healthcare organizations have become common in recent years. But what do hackers want with your health information, anyway?
Usually, hackers break into providers’ networks looking for a ransom, doing things like locking the provider out of its own computer systems or threatening to release its data online. But they are also looking for patient data.
Healthcare records have personal information that hackers are always eager to grab, like addresses and credit-card numbers. But the records also hold an array of private information about patients, ranging from insurance-policy numbers to medical conditions to medications—data that lets crooks scam insurance companies and Medicare and Medicaid, leaving patients exposed to steep financial and medical risk.
“They give hackers a full picture to commit insurance fraud, identity theft or other malicious activity in the future,” says John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association, a trade organization that represents 90% of the hospitals in the U.S.
What’s more, the theft of health records can have a longer-lasting impact on victims than regular financial fraud or identity theft, because the information in those records is harder to detect and more challenging to correct when misused.
“If your credit card gets compromised, your bank will alert you, cancel it and send you get a new one,” says Geetha Thamilarasu, an associate professor of computing and software systems in the School of STEM at the University of Washington Bothell. “But your medical records have a long lifespan. They can be misused without detection for long periods of time, because it’s harder to identify malicious activity. That makes them very valuable.”
Stolen and sold
According to the U.S. Department of Health and Human Services Office for Civil Rights, 725 data-breach incidents that exposed 500 or more health records were reported in 2023, up from 720 in 2022. In February, Change Healthcare reported a giant hack that may have affected as much as one-third of the U.S. population, according to Andrew Witty, chief executive of parent company UnitedHealth Group.
Once a healthcare record is stolen, it often ends up being sold on the dark web, the hidden corners of the internet where illicit transactions take place. An individual health record can sell for $500 to $1,000, says Thamilarasu, compared with the $1 to $2 that Social Security numbers reap.
With a patient’s personally identifiable information and healthcare records, “a bad guy can log into an individual’s account, spoof their identity, then monetize that information in a variety of ways,” says Rahul Telang, a professor of information systems at Carnegie Mellon University’s Heinz College.
Criminals might, for instance, file for insurance benefits and reimbursements from private insurers or Medicaid and Medicare, Telang says, and have those checks sent to the new address. They can also get the system to generate illicit prescriptions for healthcare devices or controlled substances, which both have high resale value, he says.
These frauds may take months or years for the average patient and the insurer to discover, and may lead to a host of problems. Insurers may raise people’s premiums based on prior hacks that cause insurance companies major costs to correct.
This kind of scam couldn’t just hurt people financially, but introduce further headaches in the future. Victims of medical-identity theft may be denied coverage in the future because their records show they have a condition they don’t actually have. Or they may be told they have reached their limit on benefits. Correcting the bogus information is difficult, since healthcare providers and insurers often have convoluted systems for amending records, and these systems mostly don’t “speak” to each other.
Criminals might also use patient records to pretend to be healthcare providers—and leave patients owing money. For instance, the crooks might pose as a provider and bill insurance companies for costly devices and other reimbursable medical services, says Thamilarasu. Then the deductibles or copays for services never rendered arrive to patients, who may not recognize them as fraudulent.
“The bad guys figured out if they keep the billing under a certain dollar amount, they can fly under the radar for a long while,” Riggi says.
Hackers have also been known to use stolen medical records to create convincing spearphishing emails or phone or video calls, posing as legitimate healthcare providers asking patients to pay a bill, release their password or give further personal data, experts say. “This is an area where AI can quickly multiply how many people the bad guys hit and how crafty those targeted messages can be,” says Telang.
A less-common use for hacked medical records is blackmail, says Riggi. Hackers might threaten to release a person’s records to an employer or to the world at large if they don’t pay a ransom. “You don’t want another person to know if you’re having mental-health issues or if you’re pregnant,” says Thamilarasu. “You don’t want that data to be out there.”
For the most part, individual patients don’t need to worry about crooks selling their stolen health records to insurers or to marketers. The Health Insurance Portability and Accountability Act allows data brokers to buy and sell certain patient health information—provided patients’ identifying features are anonymized and remain secret. Of course, data from criminals won’t meet those guidelines.
“Insurance companies would get in a lot of legal trouble,” says the AHA’s Riggi, “and marketers can find information on your interests and purchasing practices legally based on publicly available data and search history.”
Stay vigilant
To prevent fraud, patients should take the same precautions with their medical information as they would with any sensitive online data. They should use multifactor authentication to access medical records, for instance, and should never click on suspicious links.
People should also keep an eye on their medical bills as closely as they would credit-card bills. The Federal Trade Commission says people should watch for warning signs such as getting bills for medical services they didn’t receive or being told by their health plans that they have reached their benefit limits.
While individual vigilance is important, systemic reforms are critical to addressing the root causes of healthcare breaches, says Parham Eftekhari, founder and chairman of the Institute for Critical Infrastructure Technology, a nonprofit, nonpartisan think tank. Many healthcare organizations use third-party partners, which means that patient records aren’t stored just at the hospital, but potentially with dozens of other service providers, Eftekhari says.
“That offers more opportunities for the data to be stolen due to nonmalicious workers with poor or no training, or due to criminal activity. It also means the hospitals rely on their partners’ security measures, over which they have less control,” he says.
More than 85% of healthcare records are stolen from third parties and nonhospital providers, according to Riggi’s own analysis.
Policymakers, too, have a role to play. Stricter standards applied to the entire healthcare sector, including third-party providers, could motivate healthcare organizations to invest in preventive measures rather than responding reactively after a breach occurs, says Eftekari.
“Policymakers also need to ensure that laws intended to improve data security do not inadvertently add complexities with regard to breaches and threats when it comes to information sharing between public and private sectors,” he says.
Moreover, adds Riggi, not all hospitals, such as those serving low-income and rural areas, have the resources to comply with ever-stricter regulations. Fixing the pervasive hacking problem will require creative solutions.
There are some signs things are improving. To maintain customer trust, hospitals have tried hard in recent years to lock down their networks. “Hospitals have been hardening their systems to make it more difficult for outsiders to infiltrate them,” says Telang. They can do this by segmenting networks, encryption, enabling multifactor authentication and implementing other data-loss prevention strategies.
“They are hiring more IT people, spending more money and training all staff,” says Telang. “And it’s gotten better.”
Heidi Mitchell is a writer in Chicago and London. She can be reached at [email protected].
2024-12-03T15:03:14Z
