Why Hackers Seek Electronic Protected Health Information (ePHI), More So Than Credit Cards

Credit card fraud is still the most common form of identity theft in the United States, especially from online purchases.  According to a report from Javelin Strategy & Research, 15.4 million consumers were victims of identity theft or fraud which cost U.S. consumers more than $16 billion in 2016.

However, cyber criminals have found a more lucrative target.

Hackers are increasingly targeting electronic protected health information (ePHI), because they can get a premium price for this personal information on the dark web.

Sold to the Highest Bidder

Raw credit card numbers, those that are missing PIN and user information, are worth $1 or less each on the dark web. More complete credit card records that have personal information command a higher price – up to $30 each depending on the country of origin. The most valuable prize for fraudsters is someone’s medical record. Estimates vary, but in general records consistently sell for $70-$90 each. Some hackers claim to sell blocks of thousands of records and receive over $100 per individual record.

Historically, healthcare data breaches were the result of actions taken by internal staff (both accidental and intentional) but the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data in 2015 discovered that the primary reason for healthcare data breaches were due to criminal attacks.

The report states, “Employee negligence and lost or stolen devices still result in many data breaches, according to the findings. However, one of the trends we are seeing is a shift of data breaches—from accidental to intentional—as criminals are increasingly targeting and exploiting healthcare data.”

Why ePHI is So Valuable

It is estimated that our global healthcare industry will be worth $8.7 trillion by 2020. Cyber criminals are cashing in by using stolen patient data primarily for insurance fraud, medication fraud, and financial fraud.

The Identity Theft Resource Center, a U.S. non-profit that provides victim assistance and consumer education, reported there were 355 healthcare breaches in 2016 affecting 15 million records.

Information contained in a medical record is particularly useful for lucrative fraud schemes because it’s high-quality, deeply personal, and permanent. On the dark web this type of data is referred to as “fullz” (full packages of personally identifiable information). Fullz can’t easily be replaced like credit card numbers so it is more useful and provides more value to criminals.

Because the information contained in a health record is complete and comprehensive, it’s extremely versatile and it takes much longer for fraud to be detected. The information can be used in a variety of fraud scenarios.

Sometimes personal identities are stolen to receive medical care. The Ponemon Institute provides an example in which a patient learned his identity was compromised after receiving invoices for a heart procedure he hadn’t undergone. His information was also used to buy a mobility scooter and medical equipment, amounting to tens of thousands of dollars in fraud.

Why is ePHI So Vulnerable?

In response to increasing threats to patient health data and poor security, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009. The act provided a $27 billion incentive to encourage health providers to switch from paper medical records to electronic files.

The results have been disappointing. Many healthcare organizations were slow to adopt electronic files because of struggles connecting different technologies. These disparate technologies need to work together so electronic health records (EHRs) are available to the appropriate staff.

President Obama was interviewed by Vox’s Ezra Klein and Sarah Kliff on January 6, 2017 and explained this lack of interoperability was something he and his administration didn’t expect:

“We put a big slug of money to encouraging everyone to digitalize and catch up with the rest of the world here. And it’s proven to be harder than we expected, partly because everyone has different systems, they don’t all talk to each other, it requires retraining people in how to use them effectively, and I’m optimistic that over time it’s inevitable it’s going to get better because every other part of our lives, it’s become paperless.

“But it’s a lot slower than I would have expected; some of it has to do with the fact that it’s decentralized and everyone has different systems. In some cases, you have economic incentives against making the system better; you have service providers — people make money on keeping people’s medical records — so making it easier for everyone to access medical records means that there’s some folks who could lose business. And that’s turned out to be more complicated than I expected.”

As a result, hospitals and clinics have been operating, at least in part, with outdated technology, exposing them to the dangers of cyber-attacks.

Are Paper Medical Records Better?

It may be tempting to think paper medical records are a safer option but according to a recent study published in the American Journal of Managed Care, they found that paper and films were the most frequent location of breached data.

Verizon’s 2018 Protected Health Information Data Breach Report also found that 27% of data breach incidents were related to sensitive data on paper.

The Verizon report authors wrote, “Medical device hacking may be in the news, but it seems the real criminal activity is found by following the paper trail. Whether prescription information sent from clinics to pharmacies, billing statements issued by mail, discharge papers physically handed to patients, or filed copies of ID and insurance cards, printed documents are more prevalent in the healthcare sector than any other. The very nature of how PHI paperwork is handled and transferred by medical staff has led to preventable weaknesses—sensitive data being misdelivered (20%), thrown away without shredding (15%), and even lost (8%).”

The Future of ePHI

While the progress is slow, it appears more hospitals are using ePHI and beginning to catch up with the technological needs to protect it.

In 2017 the American Medical Informatics Association released a report using information from an American Hospital Association survey about hospital information technology. They measured “basic” and “comprehensive” EHR adoption among U.S. hospitals and found that 80.5% of hospitals had at least a basic EHR system.

Data breaches in the U.S. healthcare field cost around $6 billion annually. Even though the latest IBM Security/Ponemon Institute study found that in the United States, healthcare data breach costs are higher than any other industry sector, the average cost per record is decreasing. The average data breach cost per record in the healthcare industry was $380 in 2017, down from $402 the year before.