eDiscovery Daily Blog

Big Money for Stolen Health Records: eDiscovery Trends

Last month, we discussed how the number of data breaches was up in 2014, but the number of records breached was down. Of course, this year already got off to a rocky start when health insurance provider Anthem announced in early February that it had suffered what appears to be the largest breach ever in the health insurance industry, affecting about 80 million people. It turns out that those hacked health records are worth a lot in the black market.

In Fox Rothschild’s HIPAA, HITECH & HIT blog article Hacked Health Records Prized for their Black Market Value (that I found via Rob Robinson’s ever valuable Complex Discovery site), author William Maruca notes that the relative value of health records and financial data can be considerably more valuable than financial data alone.

Consider these sources:

As the Pittsburgh Post-Gazette reported, “The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.

Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company and reported by Reuters last year (before the Anthem breach). Jackson obtained the data by monitoring underground exchanges where hackers sell the information.

According to an FBI bulletin from last April (again, before the Anthem breach), Cyber criminals are selling the information on the black market at a rate of $50 for each partial electronic health record (HER), compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

With so much at stake, it’s no wonder that the healthcare industry more breaches in 2014 (333) than any other industry, and that the potential cost for breaches in the healthcare industry is estimated to be as much as $5.6 billion annually. With numbers like these, expect data security and data privacy to continue to be hot topics within the legal technology community.

So, what do you think? Have you personally had your data stolen? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.