Modern field guide to security and privacy

Stolen medical data on the cheap after waves of healthcare hacks

Buyers and sellers on the digital underground are trading healthcare records databases for as much as $200,000, according to a report from Intel Security. And that's at a discount. 

Gus Ruelas/Reuters
Data breaches at healthcare companies, hospitals, and insurance providers sometimes result in the sale of stolen data online. Anthem health insurance announced last year that nearly 80 million people were affected by the hack on their systems.

Cybercriminals are selling databases of stolen medical records at a discount perhaps due to a glut of pilfered patient information available on underground web markets, according to a report from Intel Security. 

While the report, released Wednesday, underscores the demand for stolen medical records, it also shows how easy it is for criminals to obtain hacked patient information. Medical records, after all, provide digital thieves with a roadmap for stealing someone's identity by including a range of sensitive information that's impossible to change, such as their family medical history.

The research should also serve as a warning for medical providers to better secure patient data and defend their systems against cyberattacks, say experts.

"As a patient, if I trust you with my medical care, I also need to trust you to protect that information," said Raj Samani, chief technology officer at Intel Security. "You have to trust other people at a certain point but at a certain point we do need to ask, 'What are you doing with my data? ' "

On one underground market called the Real Deal, for instance, buyers can purchase information about individuals' insurance companies, Social Security Numbers, and other information for between $14 and $25 per record. A June 2016 report from Dell SecureWorks indicated that individual patient records, known as "fullz" in the underground markets, went for between $15 and $65. 

One database of healthcare records stolen from an unknown provider in Atlanta, Ga., purportedly included information on 397,000 patients for 300 bitcoin (about $200,000). The Intel researchers also found databases that claimed to offer records on 210,000 patients from Oklahoma City, Okla,. and 48,000 patients from Farmington, Mo., for 85 bitcoin ($55,000) and 30 bitcoin ($20,000), respectively.

The databases appear to be the same ones uncovered by Deep Dot Web in June, and their authenticity could not be immediately verified. If the databases are indeed the same, they can be purchased now for a lower rate than in the summer. In June, the Farmington records were priced at 151 bitcoin, the Georgia records at 608 bitcoin, and a database of 210,000 records from a provider in the "Central/Midwest United States," likely Oklahoma, was available for 304 bitcoin.

One way to keep criminals from getting access to sensitive medical records is to strengthen authentication systems that protect medical records, said Michael Kaiser, chief executive of the National Cybersecurity Alliance.

"The focus on credentials and access to these records needs to be on top of everybody's mind," said Mr. Kaiser. "Organizations need to ask themselves, 'What does it take to access these records from the outside?' Better credentials protect those networks better."

Other experts say the government needs to step in to compel healthcare companies to take more steps to safeguard patient data. 

"I don't think this is going to slow down until the government puts some sort of measures in place, particularly on the federal side," said Dodi Glenn, vice president of cybersecurity at the security scanning company PC Pitstop, who suggested a security version of the Health Insurance Portability and Accountability Act, better known as HIPAA, which aims to protect patients' medical confidentiality.

"I don't think I'll see anything like that in my lifetime," he said. "But if there was another magic bullet, we would have used it already."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.