In today’s digital world, hackers have exploited the newest technologies to steal protected health information (PHI) from hospitals and other healthcare facilities. These malicious actors will go to great lengths, such as bundling malware with legitimate downloads to gain unauthorized access. As the number of breach incidents in hospitals increases, one can’t help but wonder why PHI is valuable to hackers.
This article will discuss why a patient’s protected health information is valuable to hacks, along with its risks and implications.
Table of Contents
Understanding the Value of PHI To Hackers
The HIPAA Privacy Rule defines protected health information or PHI as any data within an individual’s medical record that can identify them as a patient. It contains valuable information such as names, addresses, biometrics, ID numbers, and health insurance details. It also includes information about a patient’s laboratory tests, diagnoses, and treatment.
For hackers, patient records containing PHI are of great value, for they can be used to commit malicious activities such as identity theft and medical fraud. Hackers may also use PHI to extort money from healthcare facilities. Take what happened to Peachtree Orthopedics, for example. The Georgia-based orthopedic center recently fell victim to an extortion case wherein an unauthorized third-party gained access to the institution’s PHI.
So, if you’re wondering why PHI is valuable to hackers, here are three probable reasons:
1. Higher selling price
Unlike other forms of information, hackers can sell PHI at a higher selling price. According to an article posted in Imprivata, a healthcare record’s selling value could go as high as $250 per record when sold on the black market. That’s approximately 46.30 times pricier than a payment card’s price, which currently sells for around $5.
2. Long shelf life
When stolen, PHI can be stored for an extended period, unlike other forms of information. For instance, hackers prefer to steal a person’s protected health information than his credit card since the latter is easier to cancel the card or call the bank for assistance. However, with PHI, individuals are often unaware of their medical records being compromised or stolen. If not for a breach notice from a hospital or any healthcare facility, then it’s unlikely for them to know that they have already fallen victim to a data breach.
3. Multiple uses for data
PHI is extremely valuable for hackers because they can use the data in different ways. They can use it to make false medical claims, buy prescriptions, or receive treatment. These can pose real threats and risks to patients who are actual owners of the compromised medical information.
Implications of PHI Breaches: Financial, Legal, and Reputational Consequences
Knowing why PHI is valuable to hackers is one thing, but it’s also important to be aware of the consequences pertaining to PHI breaches. It is also worth noting that anyone can be criminally liable if they intentionally misuse or obtain PHI. Criminal penalties and jail time will depend on the severity of the case.
Wrongful disclosure of PHI
If the individual did not know that they violated a rule or showed a lack of knowledge about their violation, they could end up paying a $50,000 to $250,000 monetary penalty or one year in prison.
Wrongful disclosure of PHI under false pretenses
If a person or entity discloses the PHI without permission or consent, they can face up to five years of prison and a $100,000 fine.
Wrongful disclosure of PHI under false pretenses with malicious intent
Hacking incidents fall under the most severe HIPAA violation. Anyone who unlawfully obtains PHI to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm can face ten years of prison time and up to a $250,000 fine.
Factors Driving the Demand for PHI on the Dark Web
There are multiple factors that drive hackers to steal PHI and sell them on the dark web. Getting money from their victims is one of the primary reasons why hackers target PHI.
Here are some of the factors that drive hackers to steal and sell protected health information on the dark web:
Extortion
Cybercriminals demand ransom money from individuals or medical providers in exchange for restoring access to critical health data or preventing the release of sensitive medical information to the media.
Medical Fraud
Hackers obtain healthcare services for free using another individual’s valid health insurance card. They may also use the stolen health information to buy drugs (e.g., prescription medicines) or medical equipment and sell those to make a profit.
Identity theft
Those who steal PHI from others may use the personal information obtained to create fake IDs. They may also use a valid Social Security number to open lines of credit and use it for their own gains.
Data laundering
Cybercriminals sell stolen data from medical records to businesses or repackage insurance claims data. They aim to make illegal data look like legitimate information as if it were obtained legally.
Safeguarding PHI: Best Practices for Healthcare Organizations
To prevent hackers from stealing valuable patient information, make sure to implement the following best practices for HIPAA compliance:
1. Conduct regular assessments and reviews
Implement frequent evaluations of your current privacy and security policies related to data encryption, risk analysis, access controls, and more. Identify gaps in your data privacy protocols and improve them according to HIPAA compliance regulations. Document these findings as well as the action plans you took to resolve the privacy risks within your electronic health records and systems.
2. Train your employees regularly on HIPAA standards
Conduct employee training on the HIPAA standards and policies during onboarding and annually. With proper HIPAA training, your organization can promote awareness and emphasize the importance of maintaining PHI integrity. You can also educate your employees on the proper handling of digital and physical. In this regard, employees need to recognize malicious activities to prevent data breaches and unauthorized PHI access.
3. Implement technical and physical safeguards
Always enable end-to-end encryption when sending attachments or faxing patient records with PHI. It also helps to implement multi-factor authentication and change your passcodes regularly. Monitoring who can access PHI should include those outside your organization or digital database. Implementing additional security safeguards like installing security cameras and following the HIPAA double lock rule is also crucial.
