By Caroline Humer and Jim Finkle
| NEW YORK/BOSTON Sept 24
NEW YORK/BOSTON Sept 24 Your medical information
is worth 10 times more than your credit card number on the black
market.
Last month, the FBI warned healthcare providers to guard
against cyber attacks after one of the largest U.S. hospital
operators, Community Health Systems Inc, said Chinese
hackers had broken into its computer network and stolen the
personal information of 4.5 million patients.
Security experts say cyber criminals are increasingly
targeting the $3 trillion U.S. healthcare industry, which has
many companies still reliant on aging computer systems that do
not use the latest security features.
"As attackers discover new methods to make money, the
healthcare industry is becoming a much riper target because of
the ability to sell large batches of personal data for profit,"
said Dave Kennedy, an expert on healthcare security and CEO of
TrustedSEC LLC. "Hospitals have low security, so it's relatively
easy for these hackers to get a large amount of personal data
for medical fraud."
Interviews with nearly a dozen healthcare executives,
cybersecurity investigators and fraud experts provide a detailed
account of the underground market for stolen patient data.
The data for sale includes names, birth dates, policy
numbers, diagnosis codes and billing information. Fraudsters use
this data to create fake IDs to buy medical equipment or drugs
that can be resold, or they combine a patient number with a
false provider number and file made-up claims with insurers,
according to experts who have investigated cyber attacks on
healthcare organizations.
Medical identity theft is often not immediately identified
by a patient or their provider, giving criminals years to milk
such credentials. That makes medical data more valuable than
credit cards, which tend to be quickly canceled by banks once
fraud is detected.
Stolen health credentials can go for $10 each, about 10 or
20 times the value of a U.S. credit card number, according to
Don Jackson, director of threat intelligence at PhishLabs, a
cyber crime protection company. He obtained the data by
monitoring underground exchanges where hackers sell the
information.
ATTACKS ON THE RISE
The percentage of healthcare organizations that have
reported a criminal cyber attack has risen to 40 percent in 2013
from 20 percent in 2009, according to an annual survey by the
Ponemon Institute think tank on data protection policy.
Founder Larry Ponemon, who is privy to details of attacks on
healthcare firms that have not been made public, said he has
seen an increase this year in both the number of cyber attacks
and number of records stolen in those breaches.
Fueling that increase is a shift to electronic medical
records by a majority of U.S. healthcare providers.
Marc Probst, chief information officer of Intermountain
Healthcare in Salt Lake City, said his hospital system fends off
thousands of attempts to penetrate its network each week. So far
it is not aware of a successful attack.
"The only reason to buy that data is so they can
fraudulently bill," Probst said.
Healthcare providers and insurers must publicly disclose
data breaches affecting more than 500 people, but there are no
laws requiring criminal prosecution. As a result, the total cost
of cyber attacks on the healthcare system is difficult to pin
down. Insurance industry experts say they are one of many
expenses ultimately passed onto Americans as part of rising
health insurance premiums.
Consumers sometimes discover their credentials have been
stolen only after fraudsters use their personal medical ID to
impersonate them and obtain health services. When the unpaid
bills are sent on to debt collectors, they track down the fraud
victims and seek payment.
Ponemon cited a case last year in which one patient learned
that his records at a major hospital chain were compromised
after he started receiving bills related to a heart procedure he
had not undergone. The man's credentials were also used to buy a
mobility scooter and several pieces of medical equipment,
racking up tens of thousands of dollars in total fraud.
MEDICARE FRAUD
The government's efforts to combat Medicare fraud have
focused on traditional types of scams that involve provider
billing and over billing. Fraud involving the Medicare program
for seniors and the disabled totaled more than $6 billion in the
last two years, according to a database maintained by Medical
Identity Fraud Alliance.
"Healthcare providers and hospitals are just some of the
easiest networks to break into," said Jeff Horne, vice president
at cybersecurity firm Accuvant, which is majority-owned by
private equity firm Blackstone Group.
"When I've looked at hospitals, and when I've talked to
other people inside of a breach, they are using very old legacy
systems - Windows systems that are 10 plus years old that have
not seen a patch."
KPMG partner Michael Ebert said security has been an
afterthought for many medical providers - whether it is building
encryption into software used to create electronic patient
records or in setting budgets.
"Are you going to put money into a brand new MRI machine or
laser surgery or are you going to put money into a new
firewall?" he said.
(Additional reporting by Susan Kelly in Chicago; Editing by
Michele Gershberg and Tiffany Wu)