For John Kuhn, a routine visit to a hospital in Michigan turned into a $20,000 bill for surgery that he never actually received.
Kuhn, who works as a senior threat researcher at IBM, later learned from the hospital that staff had lost a hard drive filled with patient data, including his own record. Kuhn eventually had to prove to the hospital that it was a case of identity theft by pulling up his shirt to show that he didn't have any post-surgical scars.
Kuhn's case might seem like a nightmare, but he's far from alone. More than 113 million medical records were hacked in 2015 alone, according to data compiled by the Health and Human Services. A newly released report from the Institute for Critical Infrastructure Technology, a cybersecurity think tank, found that some 47% of Americans have had their medical record hacked in the past 12 months. As cardiologist and author Eric Topol points out, the majority of patients haven't ever accessed their medical record before that happens.
But why are medical records now such a hot commodity for hackers and thieves?
Late last week, IBM's security team took me on a supervised tour of the dark web, which is used by those who want to better hide their identity through Tor and other encryption tools. Many journalists, researchers, and activists leverage the dark web to mask their identity, or that of their sources. But the dark web or darknet also houses illicit erotica, weapons, and more. It was also the former home of Silk Road, an online black market for illegal drugs.
On the dark web, medical records draw a far higher price than credit cards. Hackers are well aware that it's simple enough to cancel a credit card, but to change a social security number is no easy feat. Banks have taken some major steps to crack down on identity theft. But hospitals, which have only transitioned en masse from paper-based to digital systems in the past decade, have far fewer security protections in place.
On the dark web, complete medical records typically contain an individual's name, birthdate, social security number, and medical information. These records can sell for as much as (the bitcoin equivalent) of $60 apiece, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3. During the tour, we spotted one hacker who claimed to have a treasure trove of just shy of 1 million full health records up for grabs.
As IBM's Kuhn explained in a follow-up interview, these medical records can be leveraged for a wide variety of nefarious purposes. In some cases, it's about stealing a person's identity and billing them for a surgery or a prescription, and in others it's about opening a new line of credit. Security researcher Avi Rubin told Fast Company in an recent interview that he suspects hacked medical records are often routinely used for blackmail and extortion.
Moreover, important information on the patient's medical record will often be deleted, like an allergy to penicillin, or new entries added. In some cases, it's intentional. But it's more often a by-product of the theft. For this reason, the World Privacy Forum issued a lengthy report that calls it "the crime that can kill you."
When the World Privacy Forum's report was published in 2006, the authors called for deeper research into the consequences of medical identity theft or the problem would only get worse. This proved to be highly prescient. In less than a decade, hackers targeted health insurance giant Anthem and made vulnerable the names, social security numbers, and birthdates of over 78 million people.
Health systems still have a long way to go to ward off hackers and protect patients. In many cases, it's been challenging for security experts to convince doctors and other health practitioners to change their workflow. For instance, many doctors are reluctant to use dual-factor authentication, according to Rubin, as it might slow down the process of treating a critical patient.
In the meantime, security experts say that patients can take steps to make it that little bit more challenging for hackers to access their information. Avoid filling out a medical form with sensitive personal information and emailing it to a doctor or clinic, advises Adam Levin, chairman and founder of IDT911, an identity protection company. In cases where that information is faxed, ensure that a medical professional or administrator is standing by to receive it. Another tip from Levin is to ask whether it's truly necessary to hand over a social security number, rather than to take it for granted.
"Ultimately though, hospitals need to do a better job with security," adds Levin. "This is a real crisis in America, and medical identity theft is a potentially life-threatening crime, not to mention the inherent value of medical files."