Stolen medical data on the cheap after waves of healthcare hacks

Buyers and sellers on the digital underground are trading healthcare records databases for as much as $200,000, according to a report from Intel Security. And that's at a discount. 

Data breaches at healthcare companies, hospitals, and insurance providers sometimes result in the sale of stolen data online. Anthem health insurance announced last year that nearly 80 million people were affected by the hack on their systems.

Gus Ruelas/Reuters

October 26, 2016

Cybercriminals are selling databases of stolen medical records at a discount perhaps due to a glut of pilfered patient information available on underground web markets, according to a report from Intel Security. 

While the report, released Wednesday, underscores the demand for stolen medical records, it also shows how easy it is for criminals to obtain hacked patient information. Medical records, after all, provide digital thieves with a roadmap for stealing someone's identity by including a range of sensitive information that's impossible to change, such as their family medical history.

The research should also serve as a warning for medical providers to better secure patient data and defend their systems against cyberattacks, say experts.

"As a patient, if I trust you with my medical care, I also need to trust you to protect that information," said Raj Samani, chief technology officer at Intel Security. "You have to trust other people at a certain point but at a certain point we do need to ask, 'What are you doing with my data? ' "

On one underground market called the Real Deal, for instance, buyers can purchase information about individuals' insurance companies, Social Security Numbers, and other information for between $14 and $25 per record. A June 2016 report from Dell SecureWorks indicated that individual patient records, known as "fullz" in the underground markets, went for between $15 and $65. 

One database of healthcare records stolen from an unknown provider in Atlanta, Ga., purportedly included information on 397,000 patients for 300 bitcoin (about $200,000). The Intel researchers also found databases that claimed to offer records on 210,000 patients from Oklahoma City, Okla,. and 48,000 patients from Farmington, Mo., for 85 bitcoin ($55,000) and 30 bitcoin ($20,000), respectively.

The databases appear to be the same ones uncovered by Deep Dot Web in June, and their authenticity could not be immediately verified. If the databases are indeed the same, they can be purchased now for a lower rate than in the summer. In June, the Farmington records were priced at 151 bitcoin, the Georgia records at 608 bitcoin, and a database of 210,000 records from a provider in the "Central/Midwest United States," likely Oklahoma, was available for 304 bitcoin.

One way to keep criminals from getting access to sensitive medical records is to strengthen authentication systems that protect medical records, said Michael Kaiser, chief executive of the National Cybersecurity Alliance.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

"The focus on credentials and access to these records needs to be on top of everybody's mind," said Mr. Kaiser. "Organizations need to ask themselves, 'What does it take to access these records from the outside?' Better credentials protect those networks better."

Other experts say the government needs to step in to compel healthcare companies to take more steps to safeguard patient data. 

"I don't think this is going to slow down until the government puts some sort of measures in place, particularly on the federal side," said Dodi Glenn, vice president of cybersecurity at the security scanning company PC Pitstop, who suggested a security version of the Health Insurance Portability and Accountability Act, better known as HIPAA, which aims to protect patients' medical confidentiality.

"I don't think I'll see anything like that in my lifetime," he said. "But if there was another magic bullet, we would have used it already."