Late last year, our Third Annual Data Breach Industry Forecast predicted cybercriminals would continue to focus their attacks on healthcare institutions, inspired by the knowledge that the black market value of medical records continues to surpass the value of credit card numbers. Industry experts we interviewed also predicted employee missteps would be a source of healthcare breaches.
Entering the final quarter of 2016, our prediction is playing out in the numbers; nearly half of all consumers affected by a data breach so far this year had their personal information exposed through a healthcare-related incident, according to information compiled by the Identity Theft Resource Center.
In the first three quarters of the year, 256 medical and healthcare data breaches exposed more than 13.5 million records, the highest number of any sector the ITRC tracks. Records compromised in a healthcare breach accounted for 47.2 percent of all affected records in 2016.
The healthcare sector has been a hotbed of attacks throughout the year, largely due to the continued value of medical records sold on the dark web. These records can be used for far more than just filing fraudulent medical claims. One lucrative use is filing fraudulent tax returns. CNBC reported the IRS expects, and has been bracing for, an increase in tax fraud linked to the high number of medical breaches this year.
It’s easy to understand why medical records can be so profitable for hackers. While financial accounts such as credit cards may contain a limited amount of personal information, medical records are much more comprehensive. Typically, they contain a wealth of information far beyond mere account numbers. In addition to names, addresses and birth dates, medical records often contain Social Security numbers, which healthcare providers may use as patient identifiers.
The employee factor
Many of the mega-breaches of 2015 occurred through digital routes that the average consumer would find downright arcane. In 2016, we’ve seen an increase in smaller attacks with mundane origins such as stolen hardware, poorly secured employee email accounts or phishing attacks. Consider these examples reported in the HIPAA Journal:
- Four staff email accounts were compromised in a phishing attack on employees at City of Hope Hospital in California. To put it more bluntly, four hospital employees fell for scam emails and the result was, as ITRC reports, the exposure of more than 1,000 patient records.
- More than 200,000 patients of Premier Healthcare in Bloomington, Indiana, received notification letters after a password-protected but unencrypted laptop was stolen from the hospital’s billing department.
- A St. Louis, Missouri, not-for-profit healthcare system, BJC Healthcare, had to notify more than 2,300 patients their information was exposed after an employee mistakenly sent an email containing protected information to another medical organization.
For healthcare institutions, the takeaway from 2016 should be the need to remain vigilant and proactive regarding the many ways in which data breaches can occur. While 2015 was the year of healthcare mega-breaches, 2016 has seen the emergence of smaller breaches that still have the potential to cause significant harm to organizations and patients.