Scammers want your personal details and bank account information – but did you know that your medical records are also of interest to them?
In fact, they’re positively sought-after, worth more than even your credit or debit card number!
It’s only getting worse: examples of these scams and data breaches are increasing, with the Ponemon Institute‘s Fifth Annual Benchmark Study on Patient Privacy and Data Security concluding that:
“Criminal attacks on healthcare organizations are up 125 percent compared to five years ago… replacing lost laptops as the leading threat.”
But why? And what can you do about it?
They’re Worth Relatively Large Sums
The greater amounts information can be sold on for, the more worthwhile it is for hackers to spend time obtaining.
You might be surprised: your details, even the seemingly-insignificant ones, can fetch quite a bounty on the Dark Web. You may shrug at finding out that Personally Identifiable Information (PII) can only garner around $1 a line, but according to Reuters, medical information is worth ten or even twenty times the amount offered for credit card details.
PhishLabs’ Don Jackson says such credentials can go for $10 each – which might seem insubstantial, but this sort of information is stolen in bulk, meaning one hack can result in masses of fraud victims.
Scammers can sell details on with shocking ease on the Dark Web: that is, a part of the un-indexed Deep Web, with information stored on onion sites only accessible using the Tor browser. There are of course ways a beginner can scour onion sites, but typically hackers are well-versed already. This Dark Web offers people the chance to buy and sell all sorts of things, including drugs, weapons, and your personal details.
It’s Often All-Encompassing
Why is this sort of information worth a high sum? The core reason is that gaining medical data is a ‘full’ scam, ie. It contains all the information needed to impersonate you. That includes PII, but also billing and insurance material.
You trust medical companies with a hefty package of private data, and this can be a tantalizing bounty for cybercriminals.
Even tiny bits of information can be used to gather a lot about you: you tell social media an awful lot, and from that, one could even guess at your passwords – especially if it’s something generic. Take a look at Digital Shadow: that picks through your Facebook profile and automatically suggests passwords you might use for PayPal, Internet shopping, or online banking.
Now imagine what a fraudster could do with a more complete profile of you.
While the BBC stated that the number of identity theft victims rose by almost a third in January- March 2015, compared the same period in 2014, Javelin Strategy & Research reported that $16 billion was stolen from 12.7 million victims in the USA last year.
The more accurate a picture of you, the more absolute the identity theft.
It Can Go Unnoticed
— Rick Swagler (@RickSwagler) October 31, 2015
The duration scammers can get away with fraudulent activity is typically greater than the time it takes for you to realize there’s something fishy going on with your credit card. Banks are always on the look-out for questionable activity going through your account: any queries and your card can be on hold or cancelled altogether.
But medical identity theft isn’t always obvious. It can’t go unnoticed forever, but often, you only become aware of someone impersonating you for health purposes once it’s too late. What’s worse, you become responsible for the red-letter bills; you have to pay the debt lumped on you by people you don’t even know.
That’s the consequence of not being as fussed about healthcare data breaches as you would be at learning of your financial information being accessed.
It may come as a surprise to know how little information can result in identity theft. Amy Krebs told Forbes how she became a victim herself:
“I don’t know who she is. I had never heard of her in my life. She lives a town over from me. She was using my maiden name and a 10-year-old address — so perhaps at some place in my community I trusted, like a school or a doctor’s office or employer, she came across that information. I can only make assumptions and jump to conclusions at this point… She hardly knew anything about me but was able to get credit from utility companies and stores.”
It’s An Emotive Subject
We all worry about our health; if you receive an email delivering bad news, or containing worrying results, you’re bound to panic. Scammers use that fear to gain leverage over you.
If hackers have your details, the more information they can convey to you, the more likely it is that you’ll fall for such a hoax.
One particular scam saw hundreds of thousands of emails sent out to people worldwide supposedly from medical institutions – emails which contained malware called Dridex. Don Smith, Technology Director at the company which revealed this fraud, Dell SecureWorks, told The Independent:
“[The gang of cybercriminals responsible] were opportunistic and used any means to get people to inadvertently install malware so they could steal money. They would use any ploy – however weird or wacky – to persuade people to do that.”
This purportedly included telling would-be victims that they had tested positive for cancer.
You wouldn’t get such medical data through your email, but such a message could easily make you panic and fall into the cybercriminals’ trap. The Dridex malware would activate when the victim used online banking; they would then either be presented with a fake banking page or details would be collected and sent to the hackers.
It’s such an emotive topic that there were reports of a phone scam, whereby you get a call saying a relative has been in an accident abroad and need their medical bills paying urgently before they can be treated!
Sometimes, They’re Easy Targets
This doesn’t apply to all medical institutions, obviously, but many have insufficient security systems – certainly considering the wealth of information they hold about you! Healthcare security expert, Dave Kennedy confirmed:
“As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit. Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
With limited funds, you can’t really blame them for spending their budgets on medical equipment over a stronger firewall, for instance.
The Ponemon Institute states that more than 90% of hospitals and healthcare facilities in their annual study had suffered a data breach (costing an average of more than $2.1 million per organization); and 40% had had five or more over the past two years. They further point to the possibility of malicious insiders as having leaked information.
Jeff Horne, vice president of cybersecurity company, Accuvant, said:
“Healthcare providers and hospitals are just some of the easiest networks to break into. When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems – Windows systems that are 10 plus years old that have not seen a patch.”
Additional concerns were raised over medical professionals accessing data using unsecure networks on mobile devices.
What Can You Do?
You may think a lot of this is out of your hands, but there are a few measures you can carry out to limit the damage.
If there’s been a data breach affecting more than 500 people, medical institutions need to inform their patients. Contact them if you’re concerned about their security – they’re unlikely to take you through all their arrangements, but you can at least raise your worries.
Create strong passwords, and beware of phishing and malware scams. Always shred unwanted medical reports. Stay skeptical of any messages informing you of medical problems, and keep a cool head. Would your hospital really email you to let you know bad news?
You can also use DataLossDB.org to keep track of any data breaches – large or small.
What tips do you have? Have you ever been victim yourself?