This article is part of the Handling Secrets series. In this first part, Valuing Secrets, we describe how to rate the likelihood of theft for common types of secrets. In the second, Protecting Secrets, we describe the easiest ways to prevent their theft.
About ten years ago, there was a lot of hand-wringing about the privacy of medical records: people told stories of an employer seeing their cancer diagnosis and deciding to terminate them for “unrelated reasons.” Health information is deeply personal: the diseases, mental health issues, and the drugs you take for them are details we share with almost nobody. A callous invasion of that privacy by data brokers seemed to be a real risk.
Many countries have since passed laws protecting people’s personal information, including their medical records. Many apply substantial fines for their loss.
Most medical data breaches are incidental—they happen because an attacker got access to the medical records on their way to something more valuable, usually ransoming a hospital or medical practice.
Medical records do get stolen, but why has always been unclear. Early on, pundits joked that unethical drug companies or researchers were buying them to feed into secret Big Data models for nefarious purposes. Now, it seems identity fraud is the only known use.
Questionable claims
The internet is full of reports about the black-market value of a medical record. A security publication priced them at $50 in 2012, and another said $363 in 2015. Many cite an article in December 2017 by Experian that claims up to $1000 per record. Someone on Forbes also cited “up to $1000” earlier that year. Another security company quoted $250 per record in 2021.
These conclusions are unreliable at best and pure fiction at worst. Neither source claiming $1000 explained how they found that number. The 2012 and 2015 numbers cite studies by the Ponemon Institute, a reputable security research company known for its statistical rigor. Unfortunately, the cited studies do not contain that number, or even discuss a black-market rate for medical records at all. The 2021 cost has a similar problem: it cites a Trustwave report that doesn’t mention their claim.
How hard could it be?
Finding the cost of black-market data is a solved problem: you sneak into a black-market exchange and watch what is for sale. When the data you want pops up, you write down the price. You keep watching and get a few more prices, then average them together. Easy.
While I do not have personal expertise in this process, it has been well documented.
I have not been able to find any reports of anyone doing this activity or the numbers they found. All we have is some misquoted or invented numbers found in marketing copy.
How could someone profit?
The credible research has identified two ways to monetize medical records:
Standard Identity theft: In addition to all the creepy drug details and X-ray results, medical records often contain all the information needed to take out a credit card in that person’s name.
Medical Identity Fraud: If you need medical products or services, you could submit the stolen record’s insurance and name in place of your own. If you skip out on the bill, the provider would send collections after the other person instead of you.
The first is cheap: such details are available almost everywhere, and the industry no longer tries to keep them secret—there are much better ways to prevent identity theft.
The second is real, but you cannot make a living out of free medical services. Criminals cannot automate the scam or hide behind anonymity: most medical services don’t work unless you show up in person. Even medical products are hard: in-demand products like opiates cannot be sold over the internet without substantial identity verification, and any purchase over the internet requires payment up-front.
All that is left is the boring stuff. Is the margin on reselling walkers, CPAPs, and antidepressants bought with someone else’s discount worth the risk of jail?
What data is there?
A set of Ponemon studies from 2010 to 2016 backs this narrative; I summarize two here. First, in 2011, 2014, and 2015, they interviewed victims of medical identity fraud. Of these, 25 percent were fraud only from the perspective of the insurance company: the “defrauded” lent their medical identity to a friend or family member to use. Another 25 percent were legitimately defrauded by a friend or family member, and fourteen percent said their identity theft was from someone at their doctor’s office. This leaves at most 36 percent of medical identity theft to career criminals.
In the second study, in 2015 and 2016 they interviewed companies that provided services to medical practices. Of the instances of medical identity fraud these companies were aware of, the majority were from an employee action: 20 percent out of malice or personal gain, 20 percent from a mistake, and 33 percent from “intentional non-malicious action” (yeah, I’m not sure what that means either). Not a lot of focused criminal activity.
Real information about the criminal use of stolen medical records runs out after these studies. Some businesses probably wish that medical data was scarier, but none have funded further public research to verify.
While we cannot say for certain, it seems that there is little criminal interest in buying medical records, and any claims you see about their cost are probably wrong.
How valuable are these secrets?
See here for a review of how these factors contribute to the overall chance that someone will steal them.
Unknown. Maybe a couple bucks?
Unknown. Probably not many.
Most damage comes from regulatory costs if records are lost and you are found negligent, and the penalties vary widely by geography. These can include fines, notification of affected people, remedial fixes, annual audits, and even jail time. Some examples:
The EU and China can apply substantial penalties, with the biggest for deliberate negligence. Many other countries are enacting parallel approaches to the EU.
While the US has a medical records law called HIPAA, enforcement has been spotty and has resulted in only token fines.
To learn more about the regulatory consequences of noncompliance, consult a local privacy attorney.
Reputational damage is possible, depending on your geography and customer expectations. In the US, providers that have lost medical records have rarely suffered.
Next Steps
Depending on where you do business, lost medical records may cost you, but there is little evidence that anyone wants it.
Even if it is not valuable to crime rings, health data is easy to protect. We can help.
Comments