Why cybercriminals target healthcare data

In 2015, one in three Americans were victims of healthcare data breaches, attributed to a series of large-scale attacks that each affected more than 10 million individuals.

The findings of the Bitglass 2016 Healthcare Breach Report come from analyzing data on the United States Department of Health and Human Services’ “Wall of Shame,” a database of breach disclosures required as part of HIPAA.

Breach types

“The 80 percent increase in data breach hacks in 2015 makes it clear that hackers are targeting healthcare with large-scale attacks affecting one in three Americans,” said Nat Kausik, CEO, Bitglass. “As the IoT revolution compounds the problem with real-time patient data, healthcare organizations must embrace innovative data security technologies to meet security and compliance requirements.”

Among the most significant findings of the report was that in 2015, 98 percent of record leaks were due to large-scale breaches targeting the healthcare industry. These high-profile attacks were the largest source of healthcare data loss and indicate that cyber attackers are increasingly targeting medical data. Such breaches include the widely publicized Premera Blue Cross hack, involving 11 million customers, and the Anthem hack, which resulted in 78.8 million leaked customer records.

Why healthcare data?

Protected health information (PHI) – which includes sensitive information such as Social Security numbers, medical record data, and date of birth — has incredible value on the black market. A recent Ponemon Institute report on the cost of breaches found the average cost per lost or stolen record to be $154. That number skyrockets to $363 on average for healthcare organizations.

When credit card breaches occur, issuers can simply terminate all transactions and individuals benefit from laws that limit their liability. However, victims have little recourse when subjected to identity theft via PHI leaks, and many are not promptly informed that their data has been compromised.

While criminals often leverage healthcare data for the purposes of identity theft, they can also leverage it to access medical care in the victim’s name or to conduct corporate extortion.