ICFE eNEWS #16-21 - July 2016
View this eNEWS online

Medical Records Bring a Premium Price on the Dark Web

By Yan Ross, Director of Special Projects, ICFE

By any measure, there has been an epidemic of data breaches involving medical records in the United States. According to reports from both public and private sources, the Personal Health Information (PHI) files of nearly half of all Americans have been affected.*

What attracts hackers to focus on medical records, as opposed to credit cards or other personally identifiable information? They must have been reading up on Willie Sutton, the infamous bank robber who famously said, in response to the question of why robbed banks: "That's where the money is."

While it's true that the money may be in banks, in today's marketplace, even more valuable information for re-sale appears to be in the medical records of an unsuspecting public.

How valuable are medical records? It depends on which source is reporting. A diligent search of internet sites shows a broad range of estimates, anywhere from $60 to $450 for a complete profile including sensitive patient information. Of course, since it's a "black market," the accuracy of this pricing information is by its nature uncertain. Credit card accounts, in contrast, may bring only $10-20 per record in bulk amounts.

There are various apparent reasons for this disparity. Chief among them are the deeper experience and lesser exposure financial institutions have than medical facilities in dealing with these threats. Credit cards and bank accounts can be cancelled and replaced almost immediately, while medical records tend to be much more complicated and difficult to start fresh. Actions of third parties, such as insurance companies, are also much more likely with medical issues than financial ones. Very large costs for fraudulently obtained medical services are common.

Reports indicate that the trade in medical records is carried out through relatively inaccessible channels, such as the "dark web," where encryption and restricted access prevent effective monitoring and prosecution by law enforcement. Payment systems such as Bitcoin are also used, to avoid detection and intervention.

Given the inability to recapture the "horse once it has left the barn," the most effective means of responding to this challenge is prevention.

For the holders of Personal Health Information, mainly providers of medical services and others with legitimate access such as insurers, appropriate security measures are well documented. These include staff training and awareness, hardening physical and digital storage and transmission of patient information, compliance with HIPAA and related law and regulation, and regular reviews and updates of relevant policies and procedures.

For consumers, appropriate responses tend to be reactive rather than pro-active. It is reported that most of the parties whose medical records are breached have not even accessed their own medical records, and first learn by notification of the breached organization.

It's even worse to find out at the emergency clinic or operating room, when it comes to light that the patient has erroneous information in his or her medical record. This is sometimes referred to as the "medical identity theft that can kill you," when the diagnosis is skewed by a medical record containing indication of a surgery that was performed previously - though on someone else who was using the victim patient's medical insurance.

In the event of a breach notification, it is important to read the terms carefully. It is common for the breached organization to offer the consumer free enrollment in an identity theft monitoring and remediation service. Where medical records are involved, the service should include monitoring medical information as well as credit records.

In order to assure assistance and avoid being precluded from making any claims for actual damages from the breach, it is highly advisable for the consumer to register with the offered service. The consumer may think of this registration as a carrot and a stick: the positive aspect is receiving the monitoring and remediation service; the negative is suffering a loss with no remedy.

Taking the appropriate steps to manage the risk of medical identity theft will work as a deterrent to identity thieves as well: if they find you are prepared to defend the confidentiality of medical records, they will likely move on to find easier pickings and leave you alone.

More information is posted online.

* More than 113 million medical records were hacked in 2015 alone, according to data compiled by the Health and Human Services. A newly released report from the Institute for Critical Infrastructure Technology, a cybersecurity think tank, found that some 47% of Americans have had their medical record hacked in the past 12 months.

The ICFE's Certified Identity Theft Risk Management Specialist ® XV CITRMS® course is now available both in printed format and online.

The Textbook and Desk Reference edition of the course book is also available online. Bulk pricing and discounts for veterans and students available. Inquire at yan.ross@icfe.info

Yan Ross is ICFE's Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, he has addressed Identity Theft Risk Assessment and management for consumers, organizations holding personally identifiable information, and professionals who work with individuals and organizations who are at risk of falling victim to identity thieves.

ICFE eNEWS is available FREE upon request by visiting the ICFE's Web site and filling out the contact form, selecting "Yes" for "Add to Mailing List." Please pass this eNEWS on to your peers and interested others and invite them to subscribe for free. Also, visit the ICFE's new Web site: StudentDebtHelp.org

Sent by:

Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)

ICFE - Institute of Consumer Financial Education - ICFE.info - 619.239.1401