EMR data is more valuable in the black hat hacker market than identities.
Part of our Forensics practice at Evidence Solutions, Inc. includes Electronic Medical Record (EMR) / Electronic Health Record (EHR) forensics. We take special interest in finding out about hacking events that affect Electronic Medical Record (EMR) Systems. Here is some information that we think you will find interesting:
The Value of Electronic Medical Records to Hackers
In April of 2012, Utah’s Department of Technology Services (DTS) and Utah’s Department of Health (UDOH) announced that over 280,000 EMRs from their Medicaid and Children’s Health Insurance Plan were stolen by hackers allegedly operating from Eastern Europe. The number of records stolen increased to an estimated total of 780,000 by the end of April 2012.
In December of 2013, hackers are estimated to have accessed data on a software development server in Vermont 15 times before being noticed. The server was owned by the Vermont Health Connect (VHC), the state's health insurance exchange arm of the Affordable Care Act. The attack was tracked back to a Romanian IP Address. The hacker attack went undetected for approximately one month. Fortunately, the system that was hacked only contained test data, there was no “real” data on the server.
In May of 2014, the State of Montana's Department of Public Health and Human Services (DPHHS) announced a hack that impacted up to 1.3 million individuals. The hack, which is also believed to have originated in Eastern Europe, attacked Montana’s DPHHS roughly 17,000 times an hour until the system was successfully breached.
Between April and June 2014, Community Health Systems (CHS) based in Franklin Tennessee was compromised and an estimated 4.5 million patient Electronic Health Records (EHR) were accessed. In this case, the hack was believed to be based out of China. CHS operates 206 hospitals in 29 states and is currently doing further investigations regarding the attack.
This list is by no means the entire list of EMR Systems which have been attacked. The trend to hit large targets, however, appears to be growing. Health care leaders need to be more diligent than they have been in terms of security. While external attacks are becoming more common, other threats include lost laptops and unauthorized access to records. The health care industry needs to defend against sophisticated cybercriminals who seek critical medical data to commit fraud or turn a profit.
While the value of stolen credit cards, Social Security Numbers, Identities and Electronic Medical Records vary, several sources we found indicate the following “sales prices”:
Social Security Numbers: from $0.25 to $3.00 each
Credit Card Numbers: from $2.00 to $9.00 each
Identities: From $5.00 to $10.00 each
Electronic Medical Records: From $100.00 to $1000.00 each
So why are medical records so valuable? Not only do medical records contain Personally Identifiable Information (PII) such as name, address and social security number, they also contain eligibility information and health insurance identification numbers which could allow someone to receive free medical care, including surgery.
Finally, children’s records are particularly valuable to cybercriminals because their lack of a credit report and bank account makes it difficult to monitor them for identity theft. It is possible for their identity to be exploited for years before it is uncovered. According to a report published by AllClear ID, the percentage of identity theft doubled between 2011 and 2012 data for children 5 and under. The company says: “10.7% of the children scanned from our data were victims of identity theft. This is 35 times greater than the rate of identity theft seen in adults in the same population.”
There is no doubt some of these children’s identities were obtained from EMR Systems and were used to steal children’s identities.
