By Matthew C. Bertke, CPA, MBA, Product Development Manager

Personal data is a lucrative market for cybercriminals. They can hold it ransom, use it to commit identity theft, or sell it on the black market. Healthcare organizations, which possess a great wealth of personal data, are extremely attractive targets for cybercriminals.

As discussed in our recent article on cybersecurity, healthcare organizations face numerous threats, including malware and phishing schemes, which can result in data breaches.

When security measures fail, data breaches can occur. This is disastrous for both a healthcare organization and its patients. The healthcare organization may face steep HIPAA fines. The patients may have their data sold on the black market.

The Black Market for Personal Data

Although some hackers may launch attacks for fun or revenge, most are looking to make money. According to Verizon’s 2018 Data Breach Investigations Report, 76% of breaches were financially motivated. 

In ransomware attacks – such as the infamous WannaCry attack of 2017 – malware infects a computer system and encrypts the data. This data is then held for ransom, and the victim is told to pay a fee, often in the form of cryptocurrency. However, even if the ransom is paid, the data may never be recovered.

Ransomware is only one way that cybercriminals make money from data, however. Some types of malware steal data quietly and may go undetected. The criminals may use the data themselves, for example, to make fraudulent credit card purchases. Others will sell it to the highest bidder. There is a thriving black market for personal data.
  • Financial information and Social Security numbers can be used in identity theft.
  • Healthcare information can be used in medical identify theft.
  • Phone numbers and email addresses can be sold to spammers looking for new victims to target with their scams.
  • Login information can be used by cybercriminals who want to access these accounts.
Medical data is especially valuable. According to Aarti Shahani at NPR, a criminal online dealer was selling the Medicare numbers of 10 people for about $4,700. Stolen credit card numbers, on the other hand, might be sold for a few bucks or even less.

Medical data is valued because it enables medical identity theft, which can be carried out in different ways. Criminals might use the stolen information to order prescription drugs. They might also use it to file fraudulent Medicare claims. The victims of medical identity theft can be left on the hook for costs as they try to sort out what happened.

According to the Federal Trade Commission, medical identity theft appears to be on the rise in the United States.

How Data Gets Into the Wrong Hands

Data can fall into the wrong hands in two main ways:
  • An outsider hacks the system and steals the data.
  • Employees, vendors, and partners expose the data.
To prevent third-party hacks, it’s important to maintain strong cybersecurity. To prevent employees, vendors, and partners from exposing data, it’s crucial to develop strong policies and to provide good training.

Beware of Internal Threats

Employee training is particularly important for the healthcare industry. According to the Verizon report, 56% of healthcare data breaches stem from internal threats. Healthcare is the only industry in which internal data breach sources outnumber external data breach sources.

In some cases, employees may accidentally cause breaches when they send emails to the wrong person or misplace flash drives, smart phones and laptops containing personal information. In other cases, employees may snoop on healthcare information. For example, NBC reports that a former UCLA School of Medicine employee snooped on celebrity healthcare records after he was dismissed, which led to HIPAA violations and prison time.  

Internal mistakes can also be the result of unclear policies and protocols. Employees need to know how to protect data when sharing it with other providers and vendors. Likewise, if HIPAA Privacy Rules aren’t followed closely, healthcare organizations can run into problems when they share data for research purposes. Data collected by modern wearable devices may also lead to privacy concerns.

Final Note

Never forget that your data is a hot commodity for criminals. If you suffer a breach and patient data is sold on the black market, it will create a financial nightmare for your patients and create reputational and financial challenges for your organization.

Being on guard against external cybersecurity threats is not enough. Healthcare organizations must be vigilant about their internal policies and procedures. They should also carry robust cyber insurance. Boards must provide oversight to ensure this this crucial exposure gets the attention it deserves.

If you have professional medical liability insurance with Coverys, we provide you with the most prominent “cyber” coverages as well as data breach risk management information. Learn more here.