A deeper dive into healthcare hacking and medical record fraud
The number of patient medical record breaches reported due to hacking or unauthorized access events has been climbing over the past years.
There are several factors that could help explain this continued growth.
1. Healthcare hacking is getting easier
Digital transformation in healthcare is moving forward but security is lagging behind. Hospital systems with outdated, unpatched devices are connected to the Internet, increasing their likelihood of getting infected with malware. Infected medical devices allow hackers to exploit vulnerabilities and gain access to hospital systems. Once they find a foothold, hackers can offer “hacking-as-a-service” to fraudsters who are interested in exploiting healthcare systems but lack the technical hacking skills.
2. Cyber-attacks are becoming more advanced
Cybercrime organizations operate like any other technology company and they are continuously developing more advanced hacking tools. In their research, the TrapX Security Labs division described medical devices in hospitals that were found to be infected with an advanced attack flow that they call MEDJACK (medical hijack), that creates a pivot point for hackers to access hospital systems. They reported that attackers had used sophisticated attack techniques that could enable extraction of sensitive patient information without getting detected.
3. Medical records are more valuable for fraudsters
Stolen medical records tend to have a higher value on the black market than stolen credit card information. Cynerio’s researchers follow dark web activity related to hacking of medical devices using Sixgill’s dark web monitoring technology. Here is an example of a vendor charging double the price for personal information when it includes medical ID.
What do fraudsters do with stolen medical records?
One of the most common forms of fraud is credit card or banking fraud where the medical records are used in combination with other personal information to make fraudulent transactions. But the more interesting frauds are those related to health-insurance and taxes. This is also where information specific to medical records comes in handy. In this case the fraudster would need as much background information on the victims as possible, and medical records usually include rich background information. Our research team recently found a vendor selling kids’ social security numbers and dates of birth (known on the dark web as “fullz”), that were hacked from pediatrician’s databases. The same vendor has just released a new batch of children’s “fullz”. The proximity of this new batch to the previous one is a good indicator that this is a strong demand for fresh information stolen from medical databases.
One of the reasons fraudsters are interested in social security numbers belonging to children and teens could be that these are individuals that have a perfect credit records giving the fraudsters a better chance of successfully applying for credit or loans using this fake ID. Another reason that they are interested in kids’ information could be related to tax fraud. The vendor below mentions that “TAX fraudsters knows the benefits of having childs in the tax records when filing”.
Besides financial fraud, criminals also use stolen medical information for illegally acquiring medical supplies and services. One of the dark web vendors our researchers found explains to potential customers how they can use the medical ID that he or she is selling to get prescribed drugs delivered to them, to order medication, and even to book a doctor’s appointment for a check-up.
Another strange and troubling phenomenon on the dark web is hackers selling medical records of people who have passed away. Cynerio’s research team recently found a post from a vendor on the dark web offering a huge amount of medical records. In this post, the vendor mentions that 60,000 of the records include the death date.
It may come as a surprise to think that fraudsters would be interested in purchasing medical records of patients that are already deceased, but there is a reason for this. A victim who finds out their personal information was used fraudulently will immediately report the incident. But if the person whose identity is used for the fraud is deceased, it may not go noticed for a very long time.
Healthcare organizations that collect, store and transfer medical records should be aware of the growing demand for stolen medical records and of the advances in the threat landscape. It is increasingly important to educate employees about cybersecurity and to develop advanced defenses, especially for older, more vulnerable medical systems.