The Dark Overlord (TDO), in the mainstream news with dumping unseen Netflix program episodes on illegal file-sharing sites and demanding ransom (Guardian), also has been hard at work dumping PHI hacked from various clinics. DataBreaches.net tallied it at 180,000 records from at least nine medical clinics.
Health data security developer/provider Protenus, whose Breach Barometer tracks the numbers, counted 2.1 million breaches in 1st Quarter. March spiked with 700,000 coming from Commonwealth Health Corporation of Kentucky.
Our standby Privacy Rights Clearinghouse counted over 175,000 to date, but 160,000 came from MedCenter Health in Protenus’ total, so their net addition was 15,000. But PRC’s detail illustrates that ransomware is alive, well, and invading smaller healthcare organizations. Other reasons are unauthorized data server access, third-party vendors, email error, and theft.
It was not that many years ago that there was no confidentiality rules or laws about healthcare data. Then when a very dangerous STD began to spread rapidly, and those that were infected began to be discriminated against, and insurance companies would refuse coverage based on past medical history, that privacy laws came into effect and HIPAA regulations resulted.
Now, no one asks what is the real danger of someone’s medical information not being private. If insurance companies could not refuse coverage for preexisting conditions, which was beginning to happen, it becomes solely a personal preference to keep personal information private. But it is not just a personal preference, it is the vigorously enforced law of the country.
The other side of that coin means you cannot know if your children are in school with unvaccinated schoolmates. Or if your fellow workers are infecting you with a contagious disease.
What does a hacker do with a person’s medical record anyhow? Who would they sell it to? What they can do is hold up the company they hacked for ransom as there will be huge fines issued by the HIPAA “police” if they expose the hack. Maybe the only reason we have health record hacking is because HIPAA rules bring about fines for the breeches, and paying ransom will cost less than the fine.
A point to ponder.
Hi John, and thanks for your incisive as always POV. What hackers pick up from medical records are things like name, address, method of payment, often SSI, and almost always DOB. They then can sell that info or combine it with other info to steal identities, which is what I have heard happens. Who they sell it to? International criminal networks love this info. My thought is that they get one payment for returning the keys to the system to the hospital organization, and another because they copied the info. But that is my sincerely suspicious Sicilian mind!