Since credit card companies and banks have made great strides in strengthening their security systems and enhancing protections for credit cards, hackers have turned their sites to more vulnerable and lucrative targets: the nation’s less optimally guarded healthcare institutions. Two other recent hacks include Anthem Inc., the nation’s number two insurance provider that had 80 million patient records compromised, and Community Health Systems, which had 4.5 million records exposed by hackers.
A survey of health providers published last year by the Ponemon Institute, a privacy and data research firm, reveals that roughly 90 percent of health care organizations have experienced a data breach in the past two years. Some were caused by employee mistakes or glitches with computer systems while others were criminal.
WHY ARE HACKERS TARGETING HEALTHCARE INSTITUTIONS?
1. Financial gain. Sometimes they seek to steal account information that links to databases containing banking and credit card information; other times they go after patient records only. Anthem Inc. reports their financial databases were unaffected. One security expert told The New York Times the stolen information gets auctioned off on the black market. While credit card numbers are typically sold for around $3.50, one patient medical record recently brought $251. Credit card data is easily destroyed and regenerated. Not so with personal medical records, which contain a trove of information.
2. Medical benefits. A growing number of hackers sell insurance company identification cards to people seeking free medical or dental procedures. Although doctor’s offices and surgery centers require photo identification along with an insurance card, most hacker rings have no trouble generating one. The legitimate insurance cardholder typically does not discover the theft until the insurance company mails the Explanation of Benefits and copay bill days or weeks after the procedure.
3. Traditional identity theft. Hackers can use medical and financial information to build new identities for customers who wish to apply for passports or visas and travel the world anonymously.
4. Espionage. Some hackers may be interested in connecting procedure codes to patient ID numbers, and then on to real names and Social Security Numbers, to gather sensitive health information. Anthem Inc. reports its hackers absconded with names, birthdates, Social Security Numbers, and email addresses, as well as work and income data, prompting security experts to wonder if blackmailing high-profile government officials or business leaders with embarrassing or sensitive health information was the goal.