Trend Micro’s conducted a study to learn more about “how stolen medical records are monetized after a breach, what types of data are stolen, how much they are sold for on the underground markets, and how cybercriminals make use of them” and use “Shodan scan data which reveals what healthcare-related devices and networks are connected to the internet and are visible to everyone, including cybercriminals.” The February 21, 2017 report entitled “Cybercrime and Other Threats Faced by the Healthcare Industry” explained why EHR is better for cybercriminals than stealing credit cards which “can only use the stolen credit cards before the card expires, is maxed out or cancelled”:
…an EHR database containing PII that do not expire—such as Social Security numbers—can be used multiple times for malicious intent. Stolen EHR can be used to acquire prescription drugs, receive medical care, falsify insurance claims, file fraudulent tax returns, open credit accounts, obtain official government-issued documents such as passports, driver’s licenses, and even create new identities.
A DarkingReading article about the Trend Micro Report entitled “Stolen Health Record Databases Sell For $500,000 In The Deep Web” included these observations:
Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.
Unfortunately this cyber vulnerability is not news, which the healthcare community is well aware.