Home > Identity Theft > For Ransom: Your Medical Records

Comments 1 Comment

It started out as a data breach like many others. The hackers penetrated the computer network of a small medical practice in a wealthy suburb of northern Illinois, The Surgeons of Lake County, and broke into a server containing email and electronic medical records. But instead of sneaking out undetected and selling the stolen data on the black market, they took a novel tack — encrypting the data and posting a message demanding a ransom payment in exchange for the password.

The move from fraud to extortion in cases of data compromise is frightening for several reasons. First, it suggests that the criminals knew exactly what they were doing, and that they deliberately targeted digital medical records as part of a well articulated strategy — an approach that we can expect to see employed more frequently as the digitization of records and broadening of access become the norm in the health care industry. Secondly, this M.O. implies a tremendous confidence in the criminals’ power to disrupt — and a calculation that the illicit ROI from blackmail would exceed the price that the data would command on the black market.

All of this is ultimately made possible by the digitization of medical records and the placement of those records on networks — often unprotected ones. It gets you thinking…

Would you post your medical records to your Facebook profile? Share a CAT scan via Instagram? Discuss your prescription history with your network on LinkedIn? Not likely. Even if every single one of your Facebook “friends” really is a friend, the idea of such personal information falling into the hands of strangers is damn hard to stomach — especially if those strangers happen to be criminals looking to make a quick killing and you are the roadkill.

But what if the server where that information is living belongs, not to Facebook or LinkedIn, but to a health information exchange — a computer network designed to put your medical information and that of millions of other patients within easy reach of medical professionals throughout our nation’s health care network?

The truth is that it may be there already, whether you know it or not. There are at least 255 health information exchanges across the United States so far, including 17 each in New York and Texas, 12 in Florida, and 10 each in California and Michigan, and that number is increasing at a steady clip. Their growth has been spurred partly by federal grants awarded to incentivize medical professionals to actively participate and promote the ongoing makeover of the health care system, and partly by the obvious efficiencies inherent in such a centralized and frictionless approach.

In a perfect world, this would not be a problem — and could be a solution. There are tremendous benefits to be derived from having a patient’s medical data available to practitioners throughout the health care network — from GPs and pharmacists to surgeons, radiologists, lab technicians, and emergency response teams. To have current, accurate, and reliable data about a patient’s medical history just a click away — whether the issue is urgent or routine — will save money, time, and, of greatest import, lives.

If you doubt that last assertion, consider this: it has been estimated that a million and a half people are hospitalized annually in the United States due to adverse reactions to mis-prescribed and overprescribed medications, and some 100,000 die each year from adverse reactions to mis-prescribed drugs. How many of those deaths and hospitalizations might have been avoided by having an accurate patient record close at hand? When you reflect upon the full range of medical errors that take place each year due to missing or inaccurate patient data — from unnecessary surgeries to under-the-radar cancers — the value is clear.

Then again, in a perfect world, a shopkeeper could stock the shelves, post the prices, and leave for the day — secure in the knowledge that people are honest and will pay for whatever they take.

This is not a perfect world. And that is why some people find health information exchanges so scary.

Unfortunately, not everyone follows the core precept of medical ethics first stated by Galen: “First, do no harm.” Indeed, our society has learned the hard way that where there’s a weakness, there’s a weasel waiting to exploit it. And a database brimming with sensitive data is exploitation waiting to happen.

We all know that digitized health records have long been a target for identity thieves, and the list of major data breaches involving hospitals and other health care facilities is a long one. In fact, as Bloomberg reported recently, medical providers suffer more breaches than any other type of organization, with an astonishing 690 data breaches involving 23 million records since 2005. One recent glaring example is the University of Texas MD Anderson Cancer Center in Houston, which has had three data breaches involving patient information because of a lost thumb drive and a couple of stolen laptops.

The Surgeons of Lake County scenario is frightening, in part, because it can be (and has been) applied far beyond the world of medical records — in the private sector, certainly, but also in government. Imagine a wave of database kidnappings-by-encryption targeting not just health information exchanges and other medical practices, but banks, insurance companies, government agencies, even military facilities. Clearly, such a scenario must be avoided — even if that requires significant changes in the way we store, transmit, use, and protect sensitive digital information.

Even within the realm of health care, however, we are seeing the early signs of a potential catastrophe — one that will be difficult to avoid precisely because the case for digitizing and centralizing medical information is so strong at every other level. The digitization of medical records may make a whole lot of folks queasy, but it is also smart and efficient, offering a huge opportunity to save both money and lives. It is, in fact, inevitable. Unfortunately, so are data breaches, and the identity compromises that will follow.

We need to be deadly serious here because we’re not talking just money anymore. Lives are literally at stake. Up to now, the federal government has taken a hands-off posture with respect to the workings of health information exchanges, leaving it up to the states to determine how patients’ data will be treated — and whether they will even be told that their information is being shared, or given the choice of opting out. Even when patients are brought into the loop, they must balance the privacy advantages of opting out against the medical risks of being outside the system — and thus losing the advantages of more rapid, more accurate diagnosis and treatment.

No patient should have to make such a life-or-death choice. As our society moves toward digitization and sharing of a wide range of extremely sensitive data, it is essential that we find approaches to information security that rest on a solid foundation — that are capable of enabling technological and social advances while protecting both the privacy of individuals and the security of our institutions. Wishful thinking won’t cut it. Neither will complacency. If digital information is the bedrock on which our society now rests, we have some serious work to do. If we don’t do it, there’s a shaky, scary future ahead.

So far all we think we know about the Lake County incident is that no ransom was paid, the server has been shut off, the police are involved, the patients have been notified and credit monitoring has been offered to those who face exposure in one form or another. We don’t know if the hackers made copies of the files before they encrypted them and have already sold them on the black market, if the server was backed up and/or if the data was destroyed. Anyone clever enough to pull this off is smart enough not to begin using the data for a while anyway. We don’t know if other businesses in the area were hacked as well.

What we do know is that this isn’t the first hacking/ransom incident, nor will it be the last.

I support digitization provided the prime directive is security and not simply convenience. I, for one, do not feel a whole lot of comfort walking into my doctors’ offices and seeing a wall of open filing cabinets filled with patient files ripe for the plucking by an opportunistic passerby, an unscrupulous employee or unwelcome nighttime visitor. Do you?

This post originally appeared on Identity Theft 911 Blog.

This article is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company.

Image: @alviseni, via Flickr

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

  • Genevieve

    While security of electronic health records is important, it is also important to note that the vast majority of the roughly 200 HIEs in the country do not store protected health information on a server. They are a federated model or a hybrid model, but very few have a centralized architecture that stores patient records, for exactly this reason.

Certain credit cards and other financial products mentioned in this and other sponsored content on Credit.com are Partners with Credit.com. Credit.com receives compensation if our users apply for and ultimately sign up for any financial products or cards offered.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team