What Happens When My Medical Records Are Stolen?

As cybercriminals are increasingly targeting healthcare institutions, stolen and exposed medical records may leave patients vulnerable to scams and even result in identity theft.

Some 66% of healthcare organizations were hit by ransomware last year, up from 34% in 2020, according to a recent survey by Sophos, a UK-based software or hardware company. Another report concluded that cyberattacks against healthcare facilities had been increasing "at alarming rates."

Jonathan Lee, a public sector relations director at Sophos, says that attacks against healthcare institutions are financially motivated because patient data is confidential, therefore, can be effectively monetized.

While hackers seek financial gain, they also may put patients' lives at risk, some studies suggest.

What happens to stolen medical records?

Lee says that cybercriminals often carry out double extortion attacks by encrypting data in the organization's network and demanding ransom, as well as publishing patients' data on the dark web. For example, when Ireland's Health Service Executive (HSE) was hit by a cyber attack last May, the data of 520 patients was leaked online.

"It's all about the power of personally identifiable data and what cybercriminals can do with it, which is to try to force people to pay," Lee told Healthnews.

Leaked patients' information can be obtained and used by scammers. When the data of 9.7 million customers of Medibank, one of the largest Australian private health insurance providers, was stolen, the company refused to pay the ransom.

Following the refusal, hackers released customers' health claims data, names, addresses, birthdates, and government ID numbers. They even exposed a file of pregnancy terminations.

Hand of woman using smartphone on wooden table

Former Australian tennis champion Todd Woodbridge said he also became a victim of this data breach, as scammers were calling him and demanding to pay bills from the hospital where he previously stayed.

Eric Dodds, a head of product marketing at RudderStack, an open-source customer data platform, says that healthcare data loss is extremely serious because hackers can use this sensitive information to instigate an emotional response.

"Say you are waiting for a diagnosis, and you receive an email alluding to this, it could create catastrophic consequences for somebody who is already likely in emotional distress," he said in the company's blog post.

According to Experian, a data analytics and consumer credit reporting company, having your medical data stolen may result in identity theft.

The company explains that when someone obtains your personal and health insurance information, they can get a medical procedure or test in your name, use the information to buy prescription drugs and medical equipment, or make fraudulent insurance claims.

"These can lead to the costly and time-consuming task of proving you were the victim of fraud and fixing your financial, credit, health, and possibly criminal records," the company writes in its blog.

How valuable is patients' data?

In 2017, Experian estimated that complete medical records of a person could cost up to $1,000 on the dark web.

Asked if the price remains the same, Sopho's Lee told Healthnews he could not put an exact figure, but the information is still very valuable. He says that previous Sophos research revealed that many people might not be fully aware that exposed patient data is "not just an inconvenience."

And attacks against Ireland's HSE or Australia's Medibank are only a few examples of cyber criminals accessing millions of sensitive data records.

To date, the biggest medical data breach hit the insurance company Anthem Inc,. now recognized as Elevance Health, according to the recent RudderStack analysis. During the intrusion in 2015, which affected 78.8 million people, hackers obtained Social Security numbers and Anthem health ID numbers, among other sensitive data.

In August, Pennsylvania-based healthcare service provider Keystone Health experienced a data breach in which the patients' information was exposed. Some files contained patient information, including names, Social Security numbers, and clinical information.

Is damage only financial?

While cybercriminals are financially motivated, their attacks, intentionally or not, may have detrimental effects on patients' health. A study from 2020 describes healthcare data as "more sensitive than other types of data" because breaching it may lead to faulty treatment, resulting in "fatal and irreversible losses to patients."

Hospital ward with beds and medical equipment

A 2019 study from Cornell University suggests that hospital mortality rates increase following the breaches.

An analysis revealed that the 2017 WannaCry attacks against England's National Health Service (NHS) resulted in 1,100 fewer emergency department (ED) admissions and 2,200 fewer elective admissions in the infected hospitals. Moreover, 13,500 appointments were canceled due to the attack. The financial impact of the attack amounted to $7.09 million.

What should I do if my data is exposed?

Lee says that organizations that hold patients' data have a duty to protect it.

"It's about stopping themselves from being breached in the first place and not thinking that it is inevitable that data will be lost," he told Healthnews.

But if you find yourself a victim of data loss, Lee recommends changing passwords on your accounts, not using the same password on different sites, and avoiding easily guessable passwords, such as your mother's maiden name. Recent research reveals that people often use medical terms in their passwords, making them easy to guess.

"Use multifactor authentication, which allows you to have another, non-password-related way to get into your account," he said.

According to Lee, you can be proactive about protecting your data as a patient or citizen. Still, organizations must ensure that their clients would not find themselves in a position where their data is leaked.

"The owners of health data must be judicious in both their collection and protection of sensitive information. Financial and personal consequences could be catastrophic should it fall into the wrong hands," RudderStack's Dodds said.


Leave a comment

Your email address will not be published. Required fields are marked