Hackers have found a lucrative target that promises only to grow with time—health care records. The scale of the data stolen in just the first four months of 2015 dwarfs previous years’ totals, indicating that this problem is going to get much worse before the industry can get a handle on it.
According to the Office for Civil Rights at the U.S. Department of Health and Human Services, the records of 92 million individuals have been compromised by hacking or for IT-related reasons in 2015, as opposed to approximately 2 million people in all of 2014. Even without the February 2015 breach of Anthem Blue Cross and Blue Shield data, which accounts for about 80 million compromised records, this year is way ahead of previous years. The Ponemon Institute, a research center dedicated to information security, estimates that data breaches in 2015 could cost the healthcare industry more than $5 billion.
With more and more practices implementing electronic health records, the enormous pool of personal information available online is too attractive for hackers and thieves to pass up. Health care information is a treasure trove for thieves. Unlike credit card information, health records contain permanent identifiable information, such as Social Security numbers and birth dates, which are easier to sell over a longer period of time. Just the basic information on the front and back of a health insurance card can fetch $20 on the black market. Full health care records are far more valuable: with SSNs, birth dates, street and email addresses, phone numbers, and payment information, someone can steal the entire identity of someone to access medical services, bank accounts, and prescription drugs, and to defraud insurers and government programs. Each health care record, if accompanied by bank account information and false documents, can be sold for as much as $1,300.
Compounding the problem is the typically months-long lag time between data breaches and discovery of those breaches. It is fairly easy to miss the significance of a few days’ worth of unusual traffic on a network even if IT professionals are looking for it. Small hospital systems and physician offices often assume they are too insignificant to be worth a hacker’s notice and so do not police data access as diligently as they should or perform regular self-audits. In fact, they may never realize that data have been stolen.
Meanwhile, the hackers are busy creating as full a picture of individuals as they can and selling those dossiers on the black market. Children can be especially affected, as they may not realize their information has been hijacked until they apply for health or life insurance. By then, the original source of the data breach may be impossible to track down and the thieves have had years to submit false claims. The burden to resolve the issues associated with the data theft then falls on the victims, who can spend many thousands of dollars on clearing up the problem.
Worse than the blow to victims’ financial well-being is the danger stolen health care records pose to patients’ health. If false claims have been submitted and prescriptions obtained in someone’s name, that information becomes part of the electronic health record. When that person seeks medical care, the physician could be basing the diagnosis and treatment on an incorrect medical history.
The best defense against data breaches has been and will continue to be vigilant employees trained in proper security procedures, says Experian. It notes that 59 percent of security breaches in all industries in 2014 were attributed to human error and corrupt employees. That means that all the investment in the world in malware and monitoring programs will miss nearly half of the threats to secure data.