What are hackers doing with your medical records?

Electronic health information is at constant risk of attack by hackers worldwide hoping to make a profit. Whether the hacker uses ransomware to lock up data until the facility makes a cryptocurrency exchange or they sell the information on the black market, cybercriminals stand to make a lot of money by stealing the electronic version of a patient’s protected health information.

Health information breaches increased in 2020

Hospital computer networks are under constant risk of attack in our current electronic health record (EHR) system. It’s integral that health information management staff implement strong security measures. Even with the best security, hackers will still try to force their way into healthcare systems for criminal activities. It’s incredibly difficult tracing computer crimes back to the source, leaving law enforcement often unable to catch the hacker.

In a 2021 healthcare breach report, Bitglass, a global cloud access security broker, reported a significant increase in breaches compared to previous years. They determined that hacking and IT incidents caused 67.3% of healthcare information breaches in 2020. Additionally, unauthorized disclosures accounted for 21.5%, loss or theft caused 8.7%, and other types of incidents caused 2.5%. The total number of breaches increased from 386 in 2019 to 599.

Of the 26.4 million medical records breached in 2020, hacking and IT incidents caused 24.1 million of them. This implies that massive attacks and leaks are by far the most likely reason for an individual to be affected.

Healthcare record breaches have also become more expensive. In 2020, such incidents cost healthcare organizations approximately $13.2 billion. In addition to the total number of breaches increasing, the cost per medical record compromised increased from $429 to $499.

Why do hackers want medical records?

Medical records are a treasure trove of information, generally including the following patient details:

  • Private information: Full legal name, physical address, Social Security number
  • Contact information: Email address, phone number(s), and emergency contacts
  • Financial details: Employer, job title, and salary 
  • Medical history: pharmaceutical records, test results, clinical data, and insurance information

The individual breaching the records will usually not be the one using them. Medical records include more than enough information for a cybercriminal to steal a patient’s identity, so bundles of such information are very valuable.

According to a report by cybersecurity firm Trustwave, a patient’s electronic health information can sell for upwards of $1000 on the dark web. For comparison’s sake, a social security number alone generally sells for only $1. When entire servers of such data are compromised, hackers stand to make potentially millions of dollars by distributing the stolen medical records to criminals. 

These breaches can be massive, too. In a press release, the Department of Health and Human Services (HHS) announced that Excellus Health Plan, Inc. paid $5.1 million after a major breach that spanned from December 2013 to May 2015. The cyberattack compromised the data of over 9.3 million people, likely netting the hacker a fortune in untraceable cryptocurrency.

What do hackers do with medical records?

Once a cybercriminal gains access to a patient’s medical records, they will likely use it to impersonate the patient for personal gain. Most commonly, stolen personal data will be used to get a line of credit or a loan. The additional information stored within medical records offers the hijacker more options, however.

After purchasing fake ID cards with the patient’s name and information, criminals can impersonate the patient to receive expensive treatment billed to the patient’s insurance. Additionally, they may acquire prescriptions for drugs illegally, which will likely end up sold on either the streets or the black market.

Regardless of what cybercriminals choose to do with patient records, the victim is often significantly burdened.  Between attorney and court fees, non-covered losses, and the hundreds of hours spent working to resolve identity theft, patients with compromised data stand to face major losses.

Protect your information

Risk mitigation is integral to protecting your medical records. Your healthcare providers and other HIPAA-covered entities are responsible for much of this burden, but you are responsible for protecting any medical records you have access to.

Use trustworthy antivirus software and regularly scan your system to ensure that there are no viruses or keyloggers. Also, avoid exchanging your medical records via email or messaging platforms that lack the security required for HIPAA compliance. If your doctor wouldn’t use it for transferring medical records, neither should you.

If you would like to be protected when storing and sharing your medical records, ChartRequest is here to help. Our user-friendly software simplifies the release of information request process and makes it easy to share your records with healthcare providers. Additionally, you can use one account for yourself and your dependents.

Interested in keeping a copy of your medical records somewhere safe? Sign up for a ChartRequest account today and see all the benefits our software has to offer.