Why Are Medical Records So Valuable to Data Thieves?

When you think of a data breach, what’s the first thing that springs to mind? Credit card information being compromised? Other financial data falling into the wrong hands? While protecting confidential data related to finances is crucially important, it’s actually health data and medical records at the most risk of being breached.

Between 2014 and 2016, 43% of all UK data breaches were suffered by healthcare organisations. This is more than any other industry.¹ These breaches were comprised of both internal errors, as well as theft.

More recently, as detailed in the ICO’s 2018/19 Data Security Incident Trends report, data breaches were again amongst the highest in the health sector, with the industry suffering 15% of all breaches nationwide.² While this percentage is a lot lower than the 43% in 2014-2016, it is worth noting that data breach levels have been increasing with growing severity in the last couple of years. In fact, the United Kingdom remains the most breached country in Europe.³

This trend is not solely confined to UK data breaches, either. In 2015, a US-based health insurance company had the personal information of 78.8 million current and former customers stolen. Information stolen included names, addresses, Social Security numbers, employment histories, and date of births. In other words, everything a hacker needs to commit identity fraud. Costing the company over $115 million, this is said to be one of the largest data breaches in healthcare history.⁴

Why are health sector data breaches so high?

To understand why health data and medical records are considered so valuable by hackers, we have to get into the mind of the data thief.

Firstly, medical records provide an opportunity for crimes with more longevity than, for example, credit card information. Fraud committed using stolen bank cards is likely to be detected very quickly. This is due to intricate artificial intelligence within fraud detection systems. In most cases, card fraud is prevented. If not, banks almost always refund any money taken unlawfully back to the victims. With few fraud detection systems in place in the medical sector, it is often a laborious investigative process to detect any breaches. As a result, leaks and misuses of healthcare data can often take months, or even years, to detect.

Secondly, there is a lot a thief can do with a full medical record. Medical records typically include a patient’s name, date of birth, address, preferred GP, medical history, employment history, and prescription information. In the wrong hands, this data can be used to create false identities, commit health insurance fraud and illegally obtain prescription drugs or medical equipment.

Thieves also don’t even need to process this information themselves. Stolen patient information can be sold to other criminals for vast sums of money. A single, full medical record can sell for around £15.21 ($20) on the Dark Web. Additionally, if the data can be used to fabricate passports, prescriptions and other documents, they can be sold on for up to £1520 ($2000) each.⁵

To put that into perspective, credit card information including CVV number and bank details would typically sell for around just £11.41 ($15) online.⁶ In the mind of the hacker, it’s more economic to attempt the theft of high quantities of healthcare data than it is to steal bank account data.

Image of person in doctor's overcoat with blue gloves, holding two handfulls of prescription medication

The importance of protecting this information.

It is absolutely imperative to take measures to prevent breaches of healthcare information. First and foremost, this data is extremely personal to the victims. Imagine if your own medical history was on display for the world to see and misuse. While this may seem unlikely, in January 2019 it was announced that the HIV positive status of 14,200 people who either lived in or visited Singapore had been leaked online. Such information being publicised could drastically change somebody’s life. Most worryingly, such a crime could happen to any of us.

So, what can be done to avoid these breaches?

Luckily, there are many preventative methods that can be taken to avoid a data breach in the workplace, as you can see in another of our articles here.

A large part of compliance and data breach prevention is knowing when to destroy data. Here at Shred Station, we can help with this. We work with all types of health and social care organisations and medical bodies. This includes hospitals, hospices, local health trusts, Doctors and GPs surgeries, private clinics, dental practices, pharmacies, care home providers and domiciliary care organisations. Not only do we shred paper documents, but we can also destroy everything from clothing and uniforms, to ID cards, X-rays, photographic prints, CCTV tapes, digital media, electronic equipment, hard drives, and data storage devices.

If you want to know more about how we can assist you, get in touch with one of our data destruction experts today.

Image of Shred Station operative moving a bin of confidential waste onto an eco-friendly mobile shredding vehicle

To read the full articles cited in this post, please visit the below links:

¹ – https://www.egress.com/en-US/news/ico-data-march-2017

² – https://ico.org.uk/action-weve-taken/data-security-incident-trends/

³ – https://gdpr.report/news/2018/10/09/data-breaches-compromised-4-5-billion-records-in-first-half-of-2018/

⁴ – https://www.modernhealthcare.com/article/20181016/NEWS/181019927

⁵ – https://www.databreachtoday.com/interviews/research-reveals-hacked-patient-records-are-so-valuable-i-3341

⁶ – https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/


Sign up to our newsletter here to be alerted about brand new blog articles, data protection advice, and news about Shred Station.