The relative value of health records and financial data can vary greatly according to different sources. As the Pittsburgh Post-Gazette reported today,
“The value of personal financial and health records is two or three times [the value of financial information alone], because there’s so many more opportunities for fraud,” said David Dimond, chief technology officer of EMC Healthcare, a Massachusetts-based technology provider. Combine a Social Security number, birth date and some health history, and a thief can open credit accounts plus bill insurers or the government for fictitious medical care, he noted.
Reuters reports that medical information is worth 10 times more than credit card numbers on the black market.
Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. He obtained the data by monitoring underground exchanges where hackers sell the information.
Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.
Criminals can monetize stolen health data in other creative ways. For example, some healthcare providers and their business associates have been victimized by so-called “ransomware,” which infects computers and encrypts files, then demands payment (often in untraceable Bitcoin) to unlock them. See the FBI’s January 20, 2015 alert entitled Ransomware on the Rise.
Willie Sutton was famously quoted as selecting banks for his robberies because “that’s where the money is.” Today’s healthcare scammers and hackers may be following his lead by focusing their efforts on the asset most valuable to illicit purchasers.