Why Are Medical Records So Valuable to Data Thieves?

When you think of a data breach, what’s the first thing that springs to mind? The theft of credit card information? Other financial data falling into the wrong hands? While protecting confidential financial data is very important, it’s actually health data and medical records at the highest risk of a breach.

Between 2014 and 2016, 43% of all UK data breaches were suffered by healthcare organisations. This is more than any other industry¹. The causes of these breaches were mostly due to internal errors. However, another common cause was theft.

More recently, as detailed in the ICO’s 2018/19 Data Security Incident Trends report, data breaches were again amongst the highest in the health sector, with the industry suffering 15% of all breaches nationwide². While this is much lower than the 43% in 2014-2016, it is worth noting that data breach levels have been increasing with growing severity in the last couple of years. In fact, the United Kingdom remains the most breached country in Europe³.

This trend goes beyond the UK too. In 2015, a US-based health insurance company had the personal information of 78.8 million current and former customers stolen. Information stolen included names, addresses, Social Security numbers, employment histories, and dates of birth. In other words, everything a hacker needs to commit identity fraud. This was one of the largest data breaches in healthcare history, costing the company over $115 million⁴.

Why are health sector data breaches so high?

To understand why health data and medical records are so valuable to hackers, we must get into the thieves’ minds.

Firstly, medical records provide an opportunity for crimes with more longevity than, for example, credit card information. Acts of fraud using stolen bank cards are likely to be detected very quickly. This is due to intricate artificial intelligence within fraud detection systems. In most attempts, card fraud is unsuccessful. If they are successful, banks almost always refund any money taken unlawfully. With few fraud detection systems in place in the medical sector, it is often a laborious investigative process to detect any breaches. As a result, leaks and misuse of healthcare data can often take months, or even years, to detect.

Secondly, there is a lot a thief can do with a full medical record. Medical records typically include a patient’s name, date of birth, address, preferred GP, medical history, employment history, and prescription information. Thieves can use this data to create false identities, commit health insurance fraud and illegally obtain prescription drugs or medical equipment.

Thieves also don’t even need to process this information themselves. They can sell stolen patient information to other criminals for vast sums of money. A single, full medical record can sell for around £15.21 ($20) on the Dark Web. Additionally, if thieves use the data to create fake passports, prescriptions and other documents, they can sell for up to £1520 ($2000) each⁵.

To put that into perspective, credit card information including CVV number and bank details would typically sell for around just £11.41 ($15) online⁶. In the mind of the hacker, it’s more economic to attempt the theft of high quantities of healthcare data than it is to steal bank account data.

Image of person in doctor's overcoat with blue gloves, holding two handfulls of prescription medication

The importance of protecting this information.

It is absolutely imperative to take measures to prevent breaches of healthcare information. First and foremost, this data is extremely personal to the victims. Imagine if your own medical history was on display for the world to see and misuse. While this may seem unlikely, in January 2019 it became known that the HIV-positive status of 14,200 people who either lived in or visited Singapore had been leaked online. Such information becoming public could be life-changing. Most worryingly, such a crime could happen to any of us.

So, what can we all do to avoid these breaches?

Luckily, there are many preventative methods that can be taken to avoid a data breach in the workplace, as you can see in another of our articles here.

A large part of compliance and data breach prevention is knowing when to destroy data. Here at Shred Station, we can help with this. We work with all types of health and social care organisations and medical bodies. This includes hospitals, hospices, local health trusts, Doctors and GP’s surgeries, private clinics, dental practices, pharmacies, care home providers and care organisations. Not only do we shred paper documents, but we can also destroy everything from clothing and uniforms to ID cards, X-rays, photographic prints, CCTV tapes, digital media, electronic equipment, hard drives, and data storage devices.

If you want to know more about how we can assist you, get in touch with one of our data destruction experts today.

Image of Shred Station operative moving a bin of confidential waste onto an eco-friendly mobile shredding vehicle

To read the full articles cited in this post, please visit the below links:

¹ – https://www.theregister.com/2017/06/01/data_breach_analysis/

² – https://ico.org.uk/action-weve-taken/data-security-incident-trends/

³ – https://internetofbusiness.com/cybersecurity-uk-most-breached-in-europe/

⁴ – https://www.modernhealthcare.com/article/20181016/NEWS/181019927/anthem-to-pay-16m-in-record-data-breach-settlement

⁵ – https://www.databreachtoday.com/interviews/research-reveals-hacked-patient-records-are-so-valuable-i-3341

⁶ – https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/

Sign up for our newsletter here to be alerted about brand new blog articles, data protection advice, and news about Shred Station.