U.S. Markets closed

Report: Half of U.S. Health Care Providers Have Been Hacked

Dan Tynan
Yahoo Tech

Photo: Thinkstock

Cybercrooks have developed an unhealthy interest in your medical records, and the prognosis isn’t good. According to an annual study on the privacy and security of health care data, the leading cause of medical data breaches is now deliberate attacks by criminals.

An alarming 91 percent of health care organizations reported a data breach in the past two years. Some 45 percent of them were the victims of deliberate attacks by cybercriminals seeking to steal the medical and financial information of their patients, a figure that has risen 125 percent since 2010.

Figure: Ponemon Institute, ID Experts

The survey, conducted by the Ponemon Institute and ID Experts, also looked at businesses associated with health care, such as claims processors and third-party billing companies. These numbers were slightly lower: Roughly 60 percent reported breaches, with just under 40 percent caused by criminal activity.

A prescription for disaster

Alarmingly, the data criminals were most interested in stealing were medical records. More than half of the health care organizations that were breached lost control of patients’ medical files.

The reason? Medical records are worth far more than ordinary financial records. According to the FBI, personal health information records can fetch from $20 to $70 apiece on the Internet’s black market, or more than 10 times what a credit card number can bring.

Figure: Ponemon Institute, ID Experts

According to the Medical Identity Fraud Alliance, the number of Americans who are victims of medical identity theft has nearly doubled over the last five years, from 1.4 million to 2.3 million. Nearly two-thirds of victims spent more than $13,000 trying to resolve the crime.

“Medical identity theft is 100 times worse than financial identity theft,” notes Rick Kam, president and co-founder of ID Experts. “Bad guys are monetizing the use of your health insurance number, using it to defraud Medicare or to buy OxyContin.”

Related: Anthem Warns of Email Scam After Data Breach

They could also use the information in your medical record to target you by sending phishing emails that appear to be from your doctor, urging you to surrender more personal information or directing you to websites that will infect your computer.

“When criminals have this kind of information, people are more likely to be duped,” says Larry Ponemon, chairman of the institute that bears his name.  

Do no harm?

One-third of all health care providers and one-fourth of related businesses in the Ponemon study reported being aware that some of their patients were victims of medical identity theft. But only about one-third of them offered any services to protect victims, such as credit- or identity-monitoring.

Medical-record theft is even more costly to health care providers. According to the study, it costs $2.1 million on average for a single organization to deal with the aftermath of a health care data breach — which translates to an estimated $6 billion annual cost to the entire industry.

Figure: Ponemon Institute, ID Experts

Unfortunately, Kam notes, there’s not a whole lot consumers can do about it besides keep a close watch on their medical records and the explanation of benefits (EOB) their insurance company sends them. If the EOB form lists procedures they never had, or contains other inaccuracies, this is a likely indication that their information has been compromised.

One final note: Fewer than 20 percent of the U.S. health care organizations contacted by Ponemon and ID Experts chose to participate in the benchmarking survey, most of them regional and local providers. Several of the largest healthcare providers in the country did not participate. If they had, Ponemon estimates that the percentage of organizations suffering data breaches would probably be slightly lower, given the amount of resources these organizations devote to securing their systems, but the average cost of recovering from a breach would likely be higher.

Follow Dan Tynan on Twitter (@tynanwrites) or email him here: ModFamily1@yahoo.com.