The reason healthcare records are so valuable to cyber thieves is quite simple: health records never die. Unlike credit cards which can be cancelled and replaced quickly after a breach, you cannot cancel your health records. They are with you forever. Health records are the gift that keeps on giving which is why their street value to a hacker is many times the value of a credit card number.
The impact on the patient can be devastating both economically and physically. The information contained in these records can enable a data thief to obtain multiple fraudulent credit cards and other forms of credit in the patient’s name, thus seriously damaging the patient’s credit rating. They can allow a data thief to obtain medical treatment using the patient’s information as their own which can have enormous life threatening consequences to the patient. The medical treatment the data thief receives can be co-mingled with the legitimate health information of the patient which could result in the patient receiving incorrect medical treatment when needed. This could result in serious complications or even death. Patients can also have their healthcare insurance policies cancelled by their carriers or experience their premiums escalate due to the illegal medical treatment the data thief has received that is now on record as that of the patient’s. Also, data thieves can use the patient’s health information to obtain prescription drugs that can be sold on the street.
The HITECH Act has changed the landscape for better and for worse. It provides incentives to physicians and healthcare providers who implement the “meaningful use” of an Electronic Health Record system. It is only as good as the safeguards the medical community has put in place to protect patient healthcare data. Unfortunately, not all physicians or healthcare providers are following the federally mandated guidelines and the data thieves are well aware of this fact. They will keep trying to access patient healthcare information maintained by physicians and healthcare providers looking to find those that have been asleep at the wheel or lax in implementing the safeguards. Other factors to consider are unintentional breaches of patient data by healthcare workers/employees and lost or stolen laptops or back-up tapes that are not encrypted which contain patient information including social security numbers, medical conditions and names.
As long as all of these issues exist data thieves will increase their efforts to take this information. It is too profitable for them to ignore and physicians and healthcare providers are relatively soft targets.