So far this year, data breaches have continued to occur at a feverish pace. One favorite target? Health records. According to the Privacy Rights Clearinghouse, 29 health related breaches have been made public so far this year, affecting tens of thousands of records.
One of the largest breaches so far occurred at an Emory Health clinic in Georgia, with almost 80,000 records compromised. The breach occurred when a hacker exploited a weakness in the database used by the appointment scheduling system and apparently deleted data, all while demanding a ransom paid in Bitcoin.
Another large data breach and ransomware attack occurred in Delaware, and was made public in January. Some 24,000 records were potentially compromised at Summit ReInsurance Services, an insurance subcontractor for Highmark insurance, and provider of underwriting services to self-insured companies. Summit Reinsurance Services is now under investigation by the state because of the breach.
If these breach tallies aren’t enough, the breach portal of the US Department of Health and Human Services lists a breach at the Commonwealth Health Corporation of Kentucky, with almost 700,000 records compromised. While no additional information is available about that breach, it’s clear that it’s part of a larger trend of targeted attacks on personal health data.
While the value of personal health information sold illegally likely fluctuates, a 2015 report by NPR showed that one peddler of stolen information offered 10 Medicare IDs for 22 Bitcoin, which was around $4,700 at the time. Healthcare information is so valuable in part because not only can a criminal engage in identity theft as we commonly think of it, but also provides a way for a criminal to receive healthcare using fraudulent insurance information.
The known health data breaches of 2017 encompass ransomware, theft, unintended disclosure, and insider threats. But a new report shows that a larger percentage of breaches in 2017 occurred because of insider threats than in previous years. Whatever the cause, the stakes could not be higher. A judge has ruled that a class action lawsuit can be filed against a hospital in Alabama that was the target of an insider threat breach in 2013 that affected thousands of records.
Given the relatively high payoff of illegally sold records and the possible motivation of insurance fraud, it’s likely that health records will remain a target of hackers and insiders alike. We can only hope that healthcare providers and insurers secure their systems, and prioritize their customers’ privacy and financial stability.