As of 2021, more than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.[1] While credit cards and social security numbers are perennial favorites, cybercrime has begun to favor the theft of electronic medical records (EMR) as sources of revenue. With banks and major financial institutions starting to wise up and tighten their electronic security, cybercriminals have begun to target vulnerable healthcare institutions with a particular focus on the records of children, elderly people, and the deceased.

Compared to credit cards and social security numbers, health records are often more lucrative for cyber criminals. Most credit card and social security numbers sell for about $5, while medical records fetch an average of $250, with the most complete records reportedly going for $1,000.[2]. Medical records can include a significant amount of personal and sensitive data such as names, birth dates, policy numbers, social security numbers, and billing information. And the uses for these collected, centralized data records are much more versatile than just credit card or social security data. Using medical records, it’s possible not only to steal an identity, but to create wholesale “synthetic identities” using the choicest bits of data from multiple sources, creating fake persons cobbled together from the strongest parts of existing identities. The result is a sort of identity theft Frankenstein’s monster, making tracking down and identifying fraud even more difficult.

And while normally banks are robust in quickly cancelling credit cards once financial fraud is detected, the detection mechanisms in place for medical identity theft fraud crimes are not so robust, giving criminals years to exploit stolen records. Criminals bank on the fact that certain populations are less likely to check their medical history or insurance records for unusual activity.

Vulnerable populations

Of particular value to cybercriminals are healthcare records of children, the elderly, and the deceased due to the inherent vulnerability, longevity, and “freshness” of that specific data. On the dark web, records that include multiple identity confirming documents are valuable and convenient for buyers. Comprehensive health records for children, or other vulnerable populations (like the elderly or deceased), are particularly valuable; criminal buyers are willing to pay the premium for the data because it is rare that these populations are monitoring their medical or financial records for incongruities.

Another reason the data of vulnerable populations is valuable to criminals is due to their longevity. Especially for children, monitoring of health records beyond occasional vaccination requests is usually delayed until they are in their teens, giving a generous 12 to 18-year period of lucrative exploitation to fraudsters. The best victims for cyber-crime are those who do not have the capacity to file complaints. This period of time affords criminals the time they need to carefully build up credit histories, opening credit cards for toddlers, building up credit without arousing bank suspicions, before cashing in and accruing huge debts before the victims open their first credit cards and fill out car or college loan applications.

Simultaneously, cyber criminals are seeking the freshest data – that which is free from exploits by other unscrupulous actors. Thus, while an elderly person has had multiple opportunities to have their data breached (making the purchase of personal data on the dark web inherently riskier), data from children is fresh by default. Datasets featuring children’s data have a higher proportion of records that have never been touched by other criminals. The guarantee of easily exploitable records with a fundamentally lower chance of detection makes children’s data inherently more attractive, and thus more valuable to cyber criminals.

Curative Remedies

What are the methods to fix this issue? Entities handling patient data, particularly in light of the move to electronic medical records (EMR), must place IT security on as equal footing and import as patient care and billing. By correctly prioritizing IT infrastructure and robust security practices, hospitals and other healthcare institutions would go a long way towards correcting their image as lax havens for health records. The best medicine is prevention. Investing early in competent IT infrastructure and robust data privacy practices is infinitely preferable to state and federal statutory penalties. Depending on your jurisdiction, data breaches not only involve HIPAA breach fines (HIPAA violations can routinely scale into multi-million dollar fines), but likely also the added expense of IT and personnel investigation, mandatory breach reporting to affected patients and governmental entities, and even inviting massive liability due to private cause of action allowances under state law.

Patient data handling institutions require a reassessment of priorities, and a drive to invest in critical IT infrastructure to avoid costly litigation, fines, and wasted workhours in handling breaches. Preventing attacks by working on critical IT and financial regulatory backends is cost effective and lower impact than the institutional and financial interruptions brought on by investigations, litigations, and fines.

[1] https://www.hipaajournal.com/2020-healthcare-data-breach-report-us/#:~:text=In%202020%2C%20healthcare%20data%20breaches,also%20a%20record%2Dbreaking%20year.

[2] https://www.fiercehealthcare.com/hospitals/industry-voices-forget-credit-card-numbers-medical-records-are-hottest-items-dark-web#:~:text=Cybersecurity%20firm%20Trustwave%20pegged%20the,as%20little%20as%20%241%20each.