The exposé of the hacker group Fancy Bear about the medical records of famous American athletes is just a tip of the iceberg of the vulnerability of the medical records of American citizens.
In August 2016 alone, health data security company Protenus reported that 8,804,608 medical records of U.S. citizens were breached.
Protenus added that 29% of the breaches involved hacking, malware or the increasing menace of ransomware. One incident alone, involving 3,620,000 medical records, was a result of hacking, according to Protenus.
While this over 8 million breach may seem staggering, the number of patient records breached reached 11 million in June 2016 alone. The bulk (10.3 million) of these breached patient records is attributed to one hacking incident, the health data security company reported.
Protenus added that a total of 126,930 breached patient records was reported in July this year alone. The largest single breach in July 2016, involving 23,565 records, was the handiwork of the hacker group that goes by the name TheDarkOverlord.
In the report entitled “Your Life, Repacked and Resold: The Deep Web Exploitation of Health Sector Breach Victims” published by the Institute for Critical Infrastructure Technology (ICIT), almost 100 million of the compromised medical records in 2015 came from just three hacking incidents of these three American health insurance companies: Anthem Inc., Premera Blue Cross, and Excellus Health Plan Inc.
In June this year, security researcher Dissent Doe reported that the hacker group TheDarkOverlord tried to sell on the deep web 9.3 million medical records from an unnamed U.S. health insurer for the price of 750 Bitcoin, roughly $500,000.
Why cyber attacks in the health sector succeed?
As early as April 2014, in a bulletin published on the American Hospital Association website, the FBI warned that “The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the Internet, generating a rich new environment for cyber criminals to exploit.”
Way back in 2014, the FBI bulletin stated that cyber criminals were selling patient records on the black market at a rate of $50 for every partial EHR. The FBI added that EHR can then be used to advance identity theft, obtain prescription medication or to file fraudulent insurance claims.
According to ICIT [PDF], one of the reasons why cyber attacks in the health sector are successful is that a U.S. law – the Affordable Care Act – has increased healthcare providers’ incentive to transition to EHR without requiring an investment in software, hardware or IT staff.
The EHR, which stands for Electronic Health Record (EHR), is a digital version of a patient’s medical chart. It contains basic identification data of the patient, vital signs, health problems, medications, past medical history, immunizations and laboratory reports.
According to the Office for Civil Rights of the U.S. Department of Health and Human Services, in August this year, Advocate Health Care Network paid the Department $5.55 million to settle a data breach case. To date, the Advocate settlement is the largest settlement involving a single entity.
In 2013, Advocate reported to the Office for Civil Rights several breach incidents involving its subsidiary, Advocate Medical Group. Four million individuals were affected by the cyber attacks against Advocate.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI (electronic protected health information) is secure,” Jocelyn Samuels, Director of the Office for Civil Rights, said in a statement.
In July this year, the Oregon Health & Science University and University of Mississippi Medical Center paid the Department close to $2.7 million each to settle their respective data breach cases.
Images from Shutterstock and iStock.