Healthcare data contains a wealth of information about individuals, and as such it represents a valuable commodity to many different parties. Some parties may be criminal in nature, in that they want the data to perform identity theft or engage in fraud. Other parties are legitimate in nature, such as marketing firms that pay for such data and are unaware of its origins. Churning stolen healthcare data into valuable packets of information suited to different segments without belying the fraudulent origins of the data has brought about a new “data laundering” market.

Trends

According to a December 2012 study by the Poneman Institute, a staggering 94% of polled healthcare organizations had at least one breach in the previous two years. Even more of a surprise is that 45% reported more than five incidents! The costs for each incident were calculated to be an average of $2.4 million over a two-year period. The types of data lost include medical records, billing records, prescription information, scheduling details, monthly statements and payment details. Such data provides a fairly intimate profile of a patient, which can be sliced up and consumed by different recipients:

  • Social security numbers and other personal details are useful to identity thieves
  • Financial fraudsters seek payment information
  • The wealth of metrics and personal information is a gold mine for marketers

Laundering

As stolen data makes its way to different recipients, to be used and reused multiple times, the initial source of the data- a breach or data loss event- is more than likely completely unknown to the legitimate consumers of such data. For example, if an entire database from a healthcare organization was stolen and provided to a legitimate organization, it would be obvious that the plethora of data covering potentially thousands of individuals came from suspicious origins. However…

  • Once the data is compartmentalized and tailored to the consumer, it would become much less suspicious and pass the “smell” test
  • This data could then further be chopped up and passed around, further concealing its origin- and all the while making money for the parties involved.
  • The true owner of the data- the patient whose information was stolen- may be completely unaware until it’s too late.

Looking ahead

The value of this information has lead to it being described as the “new oil”. More criminals will target the information in order to cash in and, unlike “black gold”, information is a renewable resource with much lower risks than those faced by the oil prospectors of the industrial revolution. The expectation is that the data loss events will increase in the foreseeable future, until factors such as the loss of an unprotected device, employee mistakes, and information systems breaches are brought under control through regulation, compliance, and auditing. While the data loss events are largely out of the control of the people whose data is at risk, there are a few steps you can do in order to protect yourself:

Step 1: Ask for copies of your medical records and patient activities, and review medical bills closely

Step 2: Check your credit report annually in order to identify suspicious activity

Step 3: Inquire your healthcare providers about their implementation of the FTC’s “Red Flags Rule”

References:
http://www.infosecurity-magazine.com/view/31447/healthcare-data-breach-information-is-the-new-oil
http://www.backgroundcheck.org/94-of-healthcare-organizations-breached/
http://www2.idexpertscorp.com/assets/uploads/ponemon2012/Third_Annual_Study_on_Patient_Privacy_FINAL.pdf

Get the Newsletter

Every two weeks we'll send you our latest articles along with usable insights into the state of software security.