The exploding black market in healthcare data

When medical records’ black market value is estimated at an average of $50 per record–94 percent of health care organizations have had at least one breach in the past two years–and 2 million Americans were medical identity theft victims in 2011–it’s one unpleasant ‘pointer to the future.’

[grow_thumb image=”” thumb_width=”150″ /]Data firm ID Experts studied a decade of data breaches and notes that medical data has become very attractive to professional hackers and cyber thieves. ID Experts’ full infographic.

  • First, there is so much of it with the increasing electronification of health data.
  • Second, so much of it resides on insecure or unsecured networks: smartphone, tablet, laptop.
  • Third, organizations and individuals still are only semi-conscious of fraud reality, and are negligent and sloppy when it comes to securing devices and over-reliance on the cloud without tight enterprise security. The new and underfunded health insurance ‘exchanges’ are particularly vulnerable as they, as well as other healthcare organizations, can over-rely on technology to protect data–which clever hackers can work around. Moreover, they can extract and sit on data till the trail goes cold. (Scroll down infographic to find out more). Also Ponemon Institute’s recent report in Healthcare Technology Online.

ID Experts’ study conclusions are reinforced by the California State Attorney General’s report that 55 percent of breaches “were intentional intrusions by outsiders or by unauthorized insiders” and that healthcare breaches were the third largest in reported incidents. A counter-measure may be the Medical ID Fraud Alliance, a collaboration in progress that is planned to include the Federal Trade Commission, the Secret Service and the Veterans Administration. More in (published by the American Medical Association)

Healthcare breaches due to criminal activity and plain error are becoming more common as well. All one has to do is bop over to Privacy Rights Clearinghouse, click on ‘MED’ for healthcare and 2013 and check the frequency to date (113) of breaches both tiny and huge. (By comparison, full year 2012 totaled 224.) Our TTA ‘Into The Breach’ Awards go to:  

  • The Oversharing Award goes to Oregon Health & Sciences University with 3,000 records placed on Google’s Gmail or Drive services in a frenzy of clinical info-sharing (also Modern Healthcare, free registration required).
  • The Vienna 1946 “Third Man” Award goes to the Detroit thieves who stole 15,000 x-rays warehoused insecurely by the Henry Ford Health System. While they were likely taken for their extractable silver value, the names, addresses and birth dates contained on each could be an added bonus.
  • The Eliot Spitzer Steamroller, or OMG, It’s OMIG Award goes to the Office of Medicaid Inspector General of New York, where one employee sent records to their private email address containing 17,000+ records including Social Security numbers.
  • And the winner is…. It’s Just Mulch Award for Texas Health–Harris Methodist Hospital, Fort Worth and Shred-it for relocating 277,000 old, to be shredded microfiche records to a city park where they were found by a concerned and honest citizen.

PRC also studied 43 popular health and fitness apps, both free and paid, and concluded that “Consumers should not assume any of their data is private in the mobile app environment—even health data that they consider sensitive.”–which is something we found back in March:

Our findings:

Many apps send data in the clear – unencrypted — without user knowledge.
Many apps connect to several third-party sites without user knowledge.
Unencrypted connections potentially expose sensitive and embarrassing data to everyone on a network.
Nearly three-fourths, or 72%, of the apps we assessed presented medium (32%) to high (40%) risk regarding personal privacy.
The apps which presented the lowest privacy risk to users were paid apps. This is primarily due to the fact that they don’t rely solely on advertising to make money, which means the data is less likely to be available to other parties.

Previously in TTA: VA networks breached from overseas, Healthcare data breaches show 25% fraud risk, QSing security and statistics (March), NHS data breaches and more.

Categories: Latest News.