Cybercriminals Target Health Care Organizations for Patient Medical Data
The value of patient’s confidential medical data has risen to ten times that of credit card numbers on the black market according to recent Reuters reports. Medical data can be used by cyber criminals to fraudulently obtain products and services – as with credit cards – although medical data theft has the advantage of being harder to detect than other cyber crime activities such as credit card phishing.
Hackers are now targeting health organizations in an attempt to obtain confidential patient data and other personally identifiable information from their websites, databases and internal computer systems. The threat of attack has prompted the FBI to issue warnings to a wide range of organizations in the health care sector alerting them to the risk of cyber theft of data.
The warning was issued following the theft of 4.5 million patients’ data by a group of hackers in an attack on Community Health Systems. The theft ranks as the biggest HIPAA data breach by hackers and the second largest data breach in history. In this case the data obtained was non-medical in nature, although it is still being sold on by cyber criminals.
The FBI warning states that the agency “has observed malicious actors targeting health care-related systems, perhaps for the purpose of obtaining protected health care information and/or personally identifiable information.”
Credit card details can be sold on for $1-2$ a number, while medical data with identifiable patient information has a value in excess of $10, making it highly attractive to thieves. The data can be used to create false identities and obtain medical prescriptions for the thieves to sell on the black market.
With information such as a billing address, date of birth, insurance policy number and diagnosis codes, thieves can purchase medical equipment and make false insurance claims by using real patient numbers with false provider numbers.
Reuters reports that one of the main problems for law enforcement officers is the difficulty in identifying the cybercriminals activities quickly. Claims are made, medical equipment and drugs obtained and it is only when the bills go unpaid and the bailiffs are sent in that the victim becomes aware of the fraud.