Health data breaches could be expensive and deadly

Healthcare-related data breaches could not only be expensive, but also life-threatening, experts say, and traditional credit monitoring provides little protection.

"Credit monitoring for a breach of your identity data, medical or not, is like handing out umbrellas in a tornado," said Alisdair Faulkner, chief products officer at San Jose, Calif.-based ThreatMetrix.

"If I'm a criminal, I can either try to apply for a credit card with a limit of a few thousand dollars, or I can use your identity to access or bill for healthcare worth hundreds of thousands of dollars. How long until we see people being bankrupt by procedures they didn't have, or doctors making the wrong call in a medical emergency due to false medical history?"

According to a 2013 Ponemon study, the most recent available, 1.8 million Americans or their close family members fell victim to medical identity theft, and 36 percent of them faced significant out-of-pocket expenses as a result.

For example, some wound up having to pay full price for medical services or medicines because their medical insurance lapsed, or pay for costs incurred by fraudsters. The average cost? $18,660.

But that's not even the worst thing that could happen.

"If someone gets your medical identity, and uses that to get medical goods, services, prescriptions -- everything they do goes on your personal health record," said Bob Gregg, CEO at Portland, Ore.-based ID Experts, which provides medical identity monitoring services.

Then, the next time you're unconscious in the emergency room, the doctor won't just see your medical history, but that of the fraudsters as well.

"Suddenly, all your preexisting conditions are incorrect," he said. "Allergies, drug interactions."

Claudia Gere, an author consultant based in Massachusetts, was one of the 80 million affected by the recent Anthem breach. She said that learning of the breach made her feel vulnerable and scared.

"When I need to get medication in an emergency and I find that my account has been closed for lack of payment or whatever reason... I think I would be able to dispute the charges," she said.

If it took three months to sort things out, she said, she'd be able to cover her current medications out-of-pocket.

"But for a lot of people, it could be more than an inconvenience," she said. "It could be life threatening."

According to Anthem, the data stolen includes names, dates of birth, member ID and social security numbers, addresses, phone numbers, email addresses and employment information.

"That data could definitely be used for billing fraud," said Andrew Hicks, healthcare practice Lead at Denver-based Coalfire Labs.

In fact, medical identity information is significantly more valuable than credit card numbers or social security numbers alone. According to the World Privacy Forum, the former has a street value of around $50 -- compared to a street value of $1 for the latter.

And the average profit per record is $20,000 -- compared to just $2,000 for regular identity theft.

"Generally, prices for stolen health coverage data are an order of magnitude greater than for compromised payment card data," said Don Jackson, director of threat intelligence at Charleston, SC-based PhishLabs.

One reason, according to an EMC white paper about healthcare cybercrime, is that medical information fraud takes twice as long to spot, and is difficult to address.

Bank accounts can be easily closed, and credit cards re-issued, but correcting medical records is a far tougher challenge.

The World Privacy Forum has a list of tips for consumers, which include requesting copies of insurance billing records on a regular basis, filing police reports when there are fraudulent charges, and taking steps to correct the records when discrepancies are found. However, the organizations admits that some of this can be difficult -- in particular, police departments may not even accept a report on crimes outside their jurisdictions.

Meanwhile, many insurance companies do not have the kind of monitoring that credit card companies do to catch unusual behaviors or fraudulent transactions, said ID Experts' Gregg.

According to Gregg, there are three main ways that criminals take advantage of this.

There's the classic medical identity theft where fraudsters print up fake IDs and get medical care on your dime.

Then there's a more profitable billing fraud industry, where fraudsters set up fake clinics and bill your insurance provider for services and treatments you never received.

"It's like having a credit card that you can use to the limits of your policy, which is usually measured in the millions of dollars," he said.

Finally, your medical information can be used to order prescription drugs, which are then resold on the street for a steep markup.

"There are online pharmacies basically set up as pill mills," he said.

They don't care if the prescription itself is valid -- as long as the billing information is correct.

Basic credit monitoring services won't help, he added.

"It might show up as a hospital bill a year from now that you didn't pay," he said.

Gregg's ID Experts is one of the first companies to offer medical identity monitoring services to insurance companies, alerting individual account holders of any new charges on their medical records, and giving them an opportunity to immediately dispute those charges.

The service is currently used by Moda Health, an insurance company based in Portland, Ore., and is currently being piloted by two other firms.

The service is not available to individual consumers.

"We need the claims data feed from the payer to make it effective," he said. "We're trying to figure out how to offer it through other systems, but we can't do it today."

Join the CSO newsletter!

Error: Please check your email address.

Tags ThreatMetrixsecuritydata breachHealthcarehealth careindustry verticals

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place