This Is Why Cyber Criminals Want Your Medical Records

2017 toppled 2016’s record-breaking 1,093 data breaches. As of December 27, 2017, there were 1,339 reported data breaches, according to a report from the Identity Theft Resource Center and CyberScout. This is a 23% increase from the year before. 

By hacking an insurance company or hospital, criminals can access all of your sensitive information in one fell swoop.

Data breaches have become so common that credit card numbers are virtually worthless on the black market because there’s so many available. That’s disturbing in itself, but what’s even more scary is that this oversupply has caused cyber criminals to set their sights higher by targeting the health care industry. More than a quarter of records breached in 2017 were medical records.

The Anthem data breach is just one example of how severe these breaches can be. In 2015, the insurance provider announced that 80 million patient records were compromised, which included sensitive data like Social Security numbers and health care ID numbers. In June of this year, they offered to pay a $115 million settlement, which if approved by the judge, would make it the largest data breach settlement to date.

Health Care Records Offer One-Stop Shop for Criminals

Health care records are essentially microcosms of your life, containing everything from your medical history and contact information, to your financial information and Social Security number.

By hacking the private records of an insurance company or hospital, a criminal can gain access to all of your sensitive information in one fell swoop. And, with often little invested in cyber security, the health care industry may make it easy for criminals to do so.

"Doctors don’t become doctors so they can protect data."

“As other sectors, such as financial services, put measures in place to protect their electronic data, it is typical for fraudsters to move to what they consider the next low-hanging fruit. With the amount of personal health information now available in electronic format, it is a natural progression for cyber criminals to migrate to health care,” Ann Patterson, Senior Vice President of the Medical Identity Fraud Alliance, explained to us.

“Doctors don’t become doctors so they can protect data. In fact, by law, insurers are required to not exceed certain amounts of ‘administrative’ spending (including anti-fraud measures) to ensure that the majority of money is applied toward paying claims for actual health care.”

Four out of every five doctors said they experienced a cyber attack.

While they may not have the resources to prevent cyber attacks, the majority of U.S. doctors have been affected by one. In a study conducted by Accenture and the American Medical Association, four out of every five doctors said they have experienced a cyber attack. The most common form of attack cited was phishing: emails sent by a scammer posing to be an authority within an organization in order to obtain sensitive data.

As health care data breaches climb, so do medical identity thefts. Consumer Reports estimates that in 2014, there were 2.3 million cases of medical identity fraud. Health care providers may not be in the business of cyber security, but it's time they make it a priority. 

Victims Spend Thousands to Resolve Medical Fraud

On average, companies pay $380 for every health care record breached. That’s more than the $225 average for breached records in other industries. These estimates cover direct expenses (like legal costs and identity protection services) and loss of business.

Consumers pay an even higher price for data breaches though if their identities are compromised. In 2015, the average medical identity theft victim spent $13,500 to resolve fraudulent activity, while other victims of identity fraud only spent $55 on average.

What makes medical identity theft even more problematic is that victims cannot simply shut down their medical records and open new ones like they can with credit cards. Their information could theoretically be used for life to open bank accounts, obtain medical care, reroute prescriptions, and more.

And, medical fraud is often harder to detect than stolen credit card information.

“Unlike financial identity fraud, medical ID fraud is hard to quickly identify and remediate,” explained Ann Patterson. “There is no mechanism for a hospital to alert you when someone with your identity has obtained services at their facility. There is no central repository of health care accounts in your name where you can obtain a report to review.”

Medical Identity Theft Can Create Medical Inaccuracies

A doctor may base treatment on a medical condition the victim doesn't have, a surgery they never received, or a prescription they don't take.

Undetected medical fraud can be far more serious than a damaged credit score. If a criminal assumes someone else's identity to obtain medical care, it can negatively affect the health of the victim.

Victims can receive the wrong form of medical treatment or diagnosis if their medical information is mixed up with a criminal’s. A doctor may base treatment on a medical condition the victim doesn't have, a surgery they never received, or a prescription they don't take. And, even if incorrect data is detected, it can be nearly impossible to remove from health records.

“Your health history is what it is; if you’re sick or have been sick, that is a historical fact that doesn’t change,” said Patterson.

In other cases, patients may not receive their prescribed treatment at all. Criminals can change the mailing address for prescription drugs, leaving victims without their medication.

This is particularly a problem for opioids—prescription pain medication like oxycodone, hydrocodone, and methadone which are responsible for one of the worst drug epidemics in history. Some criminals may use someone's medical identity to obtain new opioid prescriptions or reroute existing ones for their own benefit.

Opioid prescriptions are closely monitored because patients can easily develop a dependency on the medication. If a thief visits multiple health care providers to fraudulently obtain opioid prescriptions under a victim's name, it could even lead to a warrant for their arrest.

This is what happened to Deborah Ford. Her medical identity was stolen after a thief stole her wallet which held her health insurance identification cards. The criminal used her identity to obtain multiple opioid prescriptions until it was flagged by law enforcement. Ms. Ford had to fight an arrest warrant and multiple charges on her previously clean record.

Were You Hacked?

If you suspect that you are a victim of medical identity theft, the Medical Identity Fraud Alliance provides multiple resources on what you should do next. To find out if your information was compromised in a data breach (regardless of industry), you can look up your email address on Have I Been Pwned.

ClassAction.com attorneys have fought on behalf of consumers in some of the largest data breach lawsuits to date, including lawsuits filed against Home Depot, Target, and Yahoo. If your information was stolen in a data breach, you may be eligible for a lawsuit. Contact us for a free, no-obligation legal review.