Photo (cc) by Davide Restivo
The medical records of more than 4.5 million patients, including name, address, date of birth and Social Security number, were recently stolen from Community Health Systems by a group of Chinese hackers. Unfortunately, even if you weren’t a victim of that hack, there’s a good chance your medical file is already in the hands of cybercriminals.
According to CNN Money, 90 percent of health care organizations have either exposed their patients’ personal data or it’s been stolen.
In the meantime, medical facilities have been busy converting paper patient records to digital files. And medical files can be easy prey for hackers, because the data is rarely encrypted, many health care clinics are using outdated technology, and hackers can usually access patient records on the same computer network that clinics and hospitals use for other business.
Security experts have long predicted that the digitization of medical records would invite hackers. Last year, Stephen Cobb, a senior researcher at ESET, the antivirus company, calculated that 24,800 Americans had protected health information exposed — per day — in 2013, based on the number of breaches disclosed on the website of the Health and Human Services Department last year.
But why do cybercriminals want patient records? CNN Money said medical files equal big money for hackers. While stolen credit card information might get $1 on the black market, medical records bring in a minimum of $50 per record. And there’s lots of ways your stolen medical file can be used.
CNN Money said:
Criminals can use medical records to fraudulently bill insurance or Medicare. Or they use patients’ identities for free consultations. Or they pose as patients to obtain prescription medications that can later be sold on the street.
The cyberattack on Tennessee-based Community Health Systems, which affected 4.5 million patient files, is not unusual. But, according to Reuters, the sheer magnitude of the hack makes it stand out.
The attack is the largest of its type involving patient information since a U.S. Department of Health and Human Services website started tracking such breaches in 2009. The previous record, an attack on a Montana Department of Public Health server, was disclosed in June and affected about 1 million people.
My two children and I received letters from the state of Montana in June, notifying us that hackers had broken into the state health department computer server, gaining access to our names, address, dates of birth and Social Security numbers, along with other personal information. The letter said there was no indication that any information was stolen.
“So, while the federal Health and Human Services department promises ‘electronic health records will not change the privacy protections or security safeguards that apply to your health information,’ in reality, data breaches are becoming a regularity,” CNN Money said.
Have your patient files been part of a hacking scheme? Share your comments below or on our Facebook page.