It is almost a weekly occurrence that a company announces they have suffered a data breach. Oven the numbers, in the millions, are difficult for us to wrap our heads around. Besides this, the cost to the individual affected by such a breach can be hidden within the sheer scope of these large numbers. When financial data is stolen such as credit card numbers and other account information, hackers can either use the data to clone cards and make fraudulent purchases. Or they can sell the data on Dark Web platforms so others may do the same or commit identity theft. What of personal information relating to an individual’s healthcare and medical history?
In 2018, this publication covered the data breach affecting SingHealth where 1.5 million patients’ medical records were leaked including the president of Singapore. Earlier this year we also covered who might be responsible for the breach and subsequent leak of information. This all begs the question as to why do hackers want this information. Medical data can include any and all data relating to past and present health conditions, pharmacy prescriptions, hospital records, insurance details, and online medical account credentials. Unlike with financial data, it would appear on the surface that other than for blackmail purposes there is little that can be done with such information.
A new report published by Carbon Black examines how hackers use medical information for their own gain. Hackers are actively selling such information on Dark Web marketplaces. Such information is demanding high prices and is clearly in demand. The most expensive offering on these marketplaces is information relating to providing information which can be used to forge a medical background, an alarming prospect given the harm which could be done when someone who has not qualified, poses as a medical professional. Such information can be used in the real world to forge insurance documents, medical diplomas, doctor licenses, and DEA licenses. Such information has been seen going for 500 USD per listing.
The report went on to state how such information can be used by the buyer,
“A hacker compromises the corporate network of a healthcare provider to find administrative paperwork that would support a forged doctor's identity. The hacker then sells to a buyer or intermediary (who then sells to the buyer) for a high enough price to ensure a return on investment but low enough to ensure multiple people buy the item. The buyer poses as the stolen doctor's identity and submits claims to Medicare or other medical insurance providers for high-end surgeries.”
The report also detailed the discovery of numerous forgeries available and for sale. For between 10 USD and 120 USD per record, you can buy fake prescriptions, labels, sales receipts, and stolen healthcare cards. For just over three dollars listings for stolen health insurance information could be purchased which could be used to make fake claims at the cost of the victim. When it comes to personal health information, of which there are mass dumps for sale online, the company says that these records may be worth up to “three times as much” as standard personally identifiable information (PII).
Legislation across the globe defined as both sensitive and non-sensitive information which can be used to identify an individual. Non-sensitive can be seen as easily gathered from public records, phone books, corporate directories, and websites. Sensitive, of which medical records most certainly form part, can be seen as information potentially resulting in harm if leaked during a breach compromising the individual’s privacy.
Medical information can earn the hacker three times as much due to its immutability. Such records are seen as not been prone to change. Financial data, such as credit card details can easily be changed through the issuing of a new card and that cards have expiration dates. Medical records do not change rather just added to over time. It is not only hackers and cybercriminals who are after such records. Nation-state actors can use the data in order to compromise and extort individuals who may be deemed high-value targets. The report also included a survey based on interviews with a number of CISOs and healthcare organizations. According to the research, 66 percent of organizations said cyber attacks have become more sophisticated over the past year, and aside from data theft, 45 percent of companies said they've encountered attacks which are focused on information destruction in the last 12 months.
What to do if you’re a victim of a medical breach?
In an article published by Experian details indicators of compromise seen by the US Federal Trade Commission which may help individuals determine whether they may be the victim of such a breach. These include:
- A bill or statement of benefits showing medical services you did not receive
- A call from a debt collector about a medical debt you do not owe
- One or more medical collection notices on your credit report that you do not recognize
- A notice from your health plan or insurer saying you reached your benefit limit
- A denial of insurance because your medical records show a condition you do not have.
If you suspect that you are a victim of misuse of your medical records it is advised that you perform a credit check with reputable organizations within in your region. Further individuals can often place fraud alerts and freezes on compromised accounts to prevent any further misuse of the account. Further, individuals should pay attention to activity on your medical financial accounts, such as a Healthcare Savings Account (HSA) or a Flexible Spending Account (FSA) or other similar schemes, where a hacker could withdraw money once they grab your personal information.