Medical Data Worth More on Black Market Than Credit Cards
September 26, 2014 in News
Patients’ medical information is worth about 10 times more than credit card numbers on the black market, and medical identity theft often is harder to recognize, according cybersecurity experts, Reuters reports (Humer/Finkle, Reuters, 9/25).
Last month, FBI issued a flash alert warning to health care organizations that they are being targeted by hackers.
In the notice, the FBI said the agency “has observed malicious actors targeting health care-related systems, perhaps for the purpose of obtaining protected health care information and/or personally identifiable information.”
The alert came days after Community Health Systems announced that an external group of hackers attacked its computer network and stole the non-medical data of 4.5 million patients.
The CHS incident is the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported (iHealthBeat, 8/21).
Security Experts Weigh In on Patient Data Theft
In interviews with Reuters, nearly a dozen health care executives, cybersecurity investigators and fraud experts explained the appeal of health care data for cyber criminals.
Don Jackson — director of threat intelligence at PhishLabs, a cybercrime protection company — said that stolen health credentials can be sold on the black market for $10 each, or about 10 or 20 times more than the price of a U.S. credit card number.
Experts say medical data thieves are most interested in:
- Billing information;
- Birth dates;
- Diagnosis codes; and
- Policy numbers.
They note that thieves can use such data to:
- Create fake IDs to purchase medical equipment or prescription drugs that they can resell; or
- File false claims with insurers by combining a patient number with a false provider number.
According to Reuters, medical data theft is not as easy to identify as credit card theft, meaning thieves have more time to reap benefits. For example, many patients do not discover their medical data have been stolen until after unpaid bills using a patient’s medical ID has been sent to a debt collector who contacts the fraud victim to seek payment (Reuters, 9/24).