A hacker is reportedly selling on the dark web copies of databases stolen from three unidentified U.S. healthcare organizations containing data on 655,000 individuals for prices ranging from about $96,000 to $386,000 in bitcoin for each database.

The hacker taking credit, who calls himself “thedarkoverlord,” is operating on the TheRealDeal dark web marketplace and is offering to sell “a unique one-off copy of each of the three databases,” according to dark net news reporting website DeepDot Web.

Media website The Daily Dot, which says it examined TheRealDeal listings for the three databases, reports that among the data being sold are patients’ names, dates of birth, addresses, phone numbers and Social Security numbers.

Extortion Attempt
DeepDotWeb reports that the self-proclaimed hacker, over an encrypted Jabber conversation, told the news site he used “an exploit in how companies use RDP [remote desk protocol]. So it is a very particular bug. The conditions have to be very precise for it.”

The hacker is selling each of the databases for prices ranging from 151 to 607 bitcoins, according to DeepDotWeb. The news site says the hacker provided it with images of the hacked databases, with all the identifiable information redacted “so the target company can remain anonymous for now.”

The hacker also left a note on the dark web that appears to indicate that the attacker attempted to extort payments from the healthcare entities before putting the data up for sale on the darkweb, according to DeepDotWeb.

Records for Sale
The sale of health information on the dark web is commonplace, research organizations and law enforcement agencies have confirmed in numerous reports, notes Mac McMillan, CEO of the security consultancy CynergisTek.

Not Just Hacker Breaches
But it’s not only breaches involving hacker attacks that can result in health data being sold on the dark web, warns Ann Paterson, senior vice president and program director of the non-profit coalition Medical Identity Fraud Alliance.

“While MIFA doesn’t delve into the dark web, we don’t take for granted that lost data, whether through malicious hacking or inadvertent loss such as a lost laptop, is immune to being sold on the dark web. Such cases are not surprising, since those who work in this area understand that selling protected health information is lucrative – it’s one of the drivers why this type of crime is growing.”

Click here to read the full article.

June 27, 2016 By Marianne Kolbasuk McGee, HealthcareInformationSecurity

The largest health care privacy breach in Ohio occurred in Springfield late last year when a contractor working for Community Mercy Health Partners inadvertently disposed of more than 113,000 medical records in a public recycling bin.

A 2009 law was supposed to strengthen government oversight of health care providers, but at least one of its key provisions hasn’t been implemented and the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) was called out by its Inspector General last year for not being proactive enough.

Since then, health care providers have reported more than 1,400 large breaches that involved more than 500 individuals, affecting more than 155 million people. The office has also investigated more than 125,000 smaller breaches and complaints.

Many in the industry point out that big data and health care have only been synonymous for about the past five years, meaning the systems and enforcement are still growing and maturing.

“Having a wealth of cyber data is recent for health care,” said Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance.

Hospitals haven’t been out front in terms of innovating to protect against fraud like banks were several decades ago, experts said, but it’s a much more complex industry.

In most cases, especially those involving hacking, organizations don’t have a willful disregard of the law. OCR looks to see that all efforts have been made to follow procedures and correct errors.

Some patients affected by local breaches said they were left with more questions than answers. “A letter’s not going to save my kids from identity theft,” Lisa Cornelison said.

Medical identity fraud can be particularly harmful, Patterson said.

Patients can find that someone who accessed their insurance information has maxed out their coverage limits for the year. A victim’s medical information can become co-mingled with the thief’s as well, such as wrong blood types or allergies listed.

“Over 20 percent of medical identity theft victims experience some form of negative health outcome,” Patterson said.

Click here to read the full article.

February 4, 2016 By Katie Wedell, Springfield News-Sun

As the data breach landscape continues to evolve, companies must try to stay ahead of the curve and be prepared to respond to any type of security incident. To provide a snapshot of what could take place in 2016, Experian Data Breach Resolution has released its third annual Data Breach Industry Forecast white paper.

The white paper outlines five key predictions. While some current issues remain relevant, there are a few emerging areas that organizations should watch out for to be better prepared.

“We saw different types of breaches this year, and one of the major mistakes companies often make is taking a one-size-fits-all approach. Unfortunately, the reality is that no data breach is the same, and a wide variety of unique circumstances need to be considered in a data breach response plan,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “It is challenging to keep up so we are releasing this white paper to provide organizations with insight that will help them better strategize their incident response.”

What’s to come in 2016? Here are a few of the topics the white paper addresses:

• Consumers and businesses will be collateral damage in cyberconflicts among countries
• Hacktivism will make a comeback
• 2016 U.S. presidential candidates and campaigns will be attractive hacking targets

Click here to read the full press announcement.

November 30, 2015 By PRNewswire

The audit mandate, an extension of the HITECH Act, means that any provider subject to HIPAA standards is also subject to a potential audit of their privacy, security, and breach notification statuses. If you’re interested in viewing the audit protocol, it’s available here, but we’ve put together this article to help inform and prepare you around a some essential audit points:

• What your HIPAA program should look like today
• What’s coming down the HIPAA pipeline in 2016
• OIG’s take on the current HIPAA environment
• Advice on how to prepare for Phase 2 HIPAA Audits

Why Audits Matter
Of course, all responsible providers are looking to stay on top of HIPAA requirements to avoid trouble when going through an audit, but as threats to patient information grow, government compliance will likely be the least of your worries.

A recent study that tracks and measures observable software security practices across 12 core areas recently included healthcare in its industry list. Healthcare came out on bottom, falling short on all 12 core areas measured. This might not be quite as alarming if the industry weren’t struggling with a multi-billion dollar threat that’s so serious, millions are impacted by just one breach and even Congress is considering getting involved.

On top of that, patients are beginning to understand exactly how big a deal their own informational security is. The Ponemon Institute released its fifth annual study on medical identity theft earlier this year (with the support of Kaiser Permanente and The Medical Identity Fraud Alliance, and its findings reveal a patient population that is willing to make major healthcare decisions based on security risk.

Click here to read the full article.

November 23, 2015 By Megan Williams, referralMD

Earlier in 2015, nearly 92 million records were exposed when three Blue Cross Blue Shield insurance plans became the victims of security breaches—becoming just another part of an ongoing trend. According to the Identity Theft Resource Center, health care organizations comprised 42 percent of security breach victims in 2014 and have accounted for the highest percentage of hacks than any other business sector in the past three years.

Forbes Magazine also reported that 91 percent of healthcare organizations have experienced a data breach in the last two years, explaining that because medical records contain not only a person’s medical history but also even more sensitive information such as Social Security Numbers, access to them is highly valuable. Thefts can also fraudulently obtain medical services from the compromised data. According to a study on the privacy and security of health care data, while most attacks on health care organizations were typically due to an employee losing a device or having it stolen from them, most security breaches now happen because of criminal attacks.

“Organizations in the healthcare industry, like hospitals, as well as their business associates the organizations that help them manage and protect their data are under cyber attack,” Rick Kam, president and co-founder of ID Experts, which sponsored the study, told Forbes.

While health insurance companies must work to strengthen their security measures, there are a few things that a consumer can do to increase vigilance and prevent further damage due to medical identity theft.

Click here to read the full article.

November 18, 2015 By Identity Guard Resource Center, a MIFA Member Company

According to data Accenture collected from the U.S. Department of Health and Human Services, nearly 1.6 million people had their medication information stolen from healthcare providers last year.

An informative infographic prepared by DataMotion Health, a provider of secure communications for the healthcare industry, estimates that a whopping 136 million healthcare records have been breached since 2005.

Click here to read the full article.

For a full-size version of the infographic, click here.

November 12, 2015 Fred Donovan, By FierceITSecurity

In early 2015, three Blue Cross Blue Shield insurance plans suffered major security breaches which exposed close to 92 million consumer records.

Patient medical identity theft is one outcome of these types of breaches. This occurs when an impostor bills your health plan for false or inflated claims, or when medical personnel obtain prescription drugs associated with your medical identity. These fraudulent healthcare claims are typically unnoticed until a victim seeks similar legitimate medical care and their claims are denied.

Additionally, the integrity of the victim’s medical record is at risk. An incorrect medical record can potentially have serious health consequences for the victim.

There are several reasons why medical identity theft is a growing trend.

• Experts estimate that a medical record is now worth ten times (or more) than stolen credit card or social security number information.
• The required digitization of health information by the Affordable Care Act has made records more easily accessible to attackers because the healthcare sector has less sophisticated data protection methods.
• Attackers are targeting healthcare data because of the amount of personal data stored within a health record. As defined by the HIPAA Privacy Rule, a health record contains 18 identifiers that constitute personally identifiable information (PII).

It is important to note that medical identity theft is not the only ramification of a medical record breach. This type of breach can affect the entire identity of the victim by causing considerable, and potentially long-term, damage.

A victim of medical identity theft may experience issues with their credit, health coverage can be lost when false claims max out the policy limits, and health premiums may increase due to the false claims changed against the policy.

Click here to read the full article.

November 12, 2015 By Margaret Rutter Foltz, In Homeland Security

With all of the healthcare data breaches this year, medical identity theft has become a major concern. This is the first in a series of in-depth articles by MIFA Founding Member ID Experts on this potentially life-threatening crime.

The number of Americans whose healthcare information has been disclosed in data breaches — 140,000,000 in the past few years, nearly half of all Americans — is enough to make anyone feel slightly ill. Yet only a percentage have fallen victim to actual medical identity theft, 2.3 million adult patients in 2014, according to the latest Ponemon Institute study on this topic.

So this poses an important question: Is medical identity theft that big of a deal?

According to a recent New York Times article, aptly named “Stolen Consumer Data Is a Smaller Problem Than It Seems,” the answer is no — at least for identity theft in general. While the author admits to the horrors of identity theft, he says “consumers are almost never on the hook for financial losses in these sorts of episodes, which, by the way, have also been on the decline.”

In fact, he writes, “This relatively sanguine picture of the impact of data breaches is an example of a threat that looks worse than it turns out to be. The sheer size of hackings shocks and startles when the attacks are first reported, but it’s rare that journalists check on the actual consequences.”

The picture is not so sanguine for victims of medical identity theft. The number of victims has nearly doubled in five years, according to Ponemon, and the health consequences of this crime will never be cured with credit monitoring, the traditional SOP of comfort offered to victims. And privacy laws, which in some cases appear to protect the thief more than the patient, can cause the problem to drag on for years.

A recent Wall Street Journal article highlights the havoc medical identity theft can have on its victims:

• A man with Down syndrome was billed for a leg-injury treatment that he never received. In addition, his health record was contaminated with the thief’s medical information, including a drug allergy he didn’t have.
• An undocumented immigrant used somebody else’s name to get a liver transplant.
• A retired Florida woman with two feet was billed for an amputated foot.
• A man was unable to fill his legitimate prescriptions because his medical benefits had been “looted.”

Click here to read the full blog.

Read part 2: Medical Identity Theft: How Healthcare Data Breaches Turn Patients into Victims

September 3, 2015 by ID Experts

While the Maryland-based Blues plan operator maintains that no Social Security numbers were compromised, one of the plaintiffs’ lawyers contends identities already have been stolen as a result of the cyberattack, and another industry observer says the number of medical identity theft cases he has seen in the past six months alone is “nuts.”

Medical Identity Protection Is New Frontier
The CareFirst complaint specifically mentions the possibility of medical identity theft, or the misuse of protected health information to submit fraudulent health insurance claims. According to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft, released in February, medical identity theft increased 21% in 2014 compared with 2013. Victims each ponied up an average of $13,500 over an average of 200 hours to resolve the problem, although only 10% said they had reached a satisfactory conclusion.

Rick Kam, president and cofounder of IDExperts, which offers MIDAS, the Medical Identity Alert System, says the number of medical identity theft cases he has seen in the past six months has skyrocketed, citing the Blues breaches along with recent exposures at UCLA Health System and the Office of Personnel Management.

“If you think about those particular incidents, all of them included health insurance information or some form of sensitive health information,” Kam tells The AIS Report. “So not only through MIDAS, but more specifically through the services we provide to our breach clients, we’ve seen a huge spike in medical identity theft, financial identity theft and tax return identity fraud just in the last six months. It’s just off the charts. It’s just nuts.”

Many cases of medical identity theft don’t come from data breaches, but rather are perpetrated by the person’s friend or family member. Ann Patterson, senior vice president and program director at the Medical Identity Fraud Alliance — of which CareFirst is a founding member — says providers are better equipped to halt identity theft than insurers, because they can employ techniques including fingerprint scans and photo verification to ensure a person’s identity immediately upon arrival.

Insurance companies also are under pressure to pay claims quickly, which prevents their special investigations units from vetting each incoming bill. Additionally, insurers have to comply with the medical loss ratio (MLR) provision of the Affordable Care Act, which somewhat limits their ability to invest in new technology.

“Fraud reduction activities are in the restricted buckets,” Patterson says, referring to expenses such as administrative, marketing and salaries that are allowed only a 20% allocation of insurers’ premium revenues. An insurance exec might say, “‘Oh, there’s this cool software’ — they can buy and deploy that, but any money a health plan company spends to do those new technologies, that’s going to count against them in MLR.”

Click here to read the full article.

September 2, 2015 by Atlantic Information Services, Inc.

Identity theft is a major concern for all companies that collect customer data, but potential consequences of data breaches in the healthcare industry can be especially dire, going beyond stealing identities and financial information that occurs in other types of data base invasions.

Aside from the typical repercussions of exposing addresses, Social Security numbers and personal data, medical identity theft can create a dangerous health risk if a thief hijacks a victim’s insurance to receive treatment, mixing and confusing medical records.

This form of identity theft is extremely costly to the victim as well the company that gets hacked. Unlike credit card identity theft, where a victim’s liability is limited to $50, medical identity theft costs victims $13,500 on average, according to a July 2015 USA Today article.

Healthcare data breaches represented 42.5 percent of all breaches over the last three years, the article said, with 91 percent of healthcare organizations reporting at least one data breach in the last two years.

Medical identity theft has become a costly and potentially dangerous side effect of digitizing health data, but healthcare companies may not be equipped or prepared to protect the information.

Best practices for protecting data are not always easy for healthcare companies to follow, as they are usually not IT experts. According to Mayo Clinic Chief Information Security Officer Jim Nelms, healthcare information is more vulnerable than financial information because the industry is often 10-15 years behind in its IT practices.

Click here to read the full article.

August 31, 2015 by Daniel Rice, Healthcare Finance News