Skip to main content

Why Are Healthcare Breaches on the Rise? (Part 1)

August 28, 2014

The recent announcement of a security breach of millions of healthcare records has raised yet another alarm in the security world. Is healthcare going to be the new target (no pun intended) for major breaches? 

The notorious bank robber Willie Sutton was once asked, “Why do you rob banks?” He replied, “Because that is where the money is!” The “Willie Sutton” of today doesn’t carry a gun; he carries a keyboard.  Criminal attacks on healthcare have increased more than 100 percent since 2010.* Why is that? Simple… that is where the money is!  Recent healthcare regulations have contributed to the visibility of breaches, similar to the impact of breach notification laws on personally identifiable information (PII).


In 2009 the HITECH Act provided billions of dollars in financial incentives to encourage companies to adopt electronic healthcare records (EHR) technology. Tougher breach notification requirements were tied to the act, and in 2013 the Omnibus Rule provided additional definition. The disclosure standard changed from “harm” to a “risk” view, included business associates and defined “willful neglect.” The combination of these federal regulations has brought more awareness to healthcare breaches and greater opportunities for breaches to occur.

The Affordable Care Act is converting all the healthcare records to EHR. In the past, to gain access to my healthcare records you needed to break in to my doctor’s office and rummage through the vast number of patient files to find my file. Then you needed the best translation experts in the world to break the encryption of my doctor’s handwriting. That has all changed with EHR. Now, from the comfort of the couch, an attacker anywhere in the world can hack into a system to gain access to an electronic healthcare record.

More than 50 percent of reported breaches in the past year are related to healthcare. Most healthcare entities and business associates are still focused on becoming compliant with the regulations. What has become very evident in the financial world is that “compliant” does not mean “secure.” Healthcare organizations do not have the same experiences as the financial sector of being subject to organized crime and cybercriminal attacks. In healthcare, the investments have been focused on patient care, not on securing the information (don’t take me wrong – I am all for quality care).

Financial Gain

We normally think of credit card information in relation to the black market and financial gain. Would it surprise you to know that you can buy a credit card for $1 on the black market? What is more surprising is that a stolen healthcare identity will provide you a 50x return!** The value for the cybercriminal is not just in the return on the investment; the value of a healthcare record lasts longer. A stolen credit card number can be cancelled in minutes, but you can never undo a healthcare record breach. If my credit card is stolen I can simply replace the card. If my health information is stolen it cannot be retrieved or cancelled. An EHR contains enough information to build a full identity including personal information, medical history, prescriptions, financial records, personal contacts and diagnoses information. The high value of health information makes it attractive to attackers, and looking forward we can expect this industry to be a major target.

This isn’t a case of finding out who is taking Prozac for kicks. Identity theft for healthcare records is a lucrative business and can have dire consequences for the patient. If a patient’s medical record is changed, it can result in very dangerous and possibly life threatening consequences for emergency care if the patient is given the wrong blood type or has unknown allergies.

Healthcare information can be sold on the black market and used to fill prescriptions or make false medical claims to obtain free medical care. For instance, the cost of OxyContin is more than $40 per pill on the black market. Using a falsified health insurance card, an individual can receive expensive medical prescriptions or procedures without paying. Of course someone has to pay for it. That’s typically the health insurance company, but the additional cost is passed on to each of us through higher insurance rates.

In my next post I will explore why securing the records can be challenging, and what needs to be done to protect patients’ information.

* Fourth Annual Benchmark Study on Patient Privacy & Data Security Ponemon  Institute© Research Report, Publication Date: March 2014

** EMC Report on Cybercrime and Healthcare industry

Related Blogs

August 29, 2014

Why Are Healthcare Breaches on the Rise? (Part 2)

In my last blog post, I discussed how the visibility of electronic healthcare records (EHR), and the lucrative financial gain attackers can realize by...

See Details

February 15, 2018

Security Simplified

It's no secret that data breaches are an ugly reality for businesses today, and despite ever increasing investments, organizations seem unable to stem...

See Details

January 12, 2018

Regarding Spectre and Meltdown

On January 3, 2018, the Graz University of Technology released their papers on identified vulnerabilities dubbed “Meltdown” and “Spectre” via the webs...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

November 09, 2017

Third-Party Breaches Will Continue Until Morale Improves

I have some bad news for you: breaches at third parties are not going to stop – not any time soon. Various studies show that somewhere between one-thi...

See Details

January 24, 2014

Trends in Credit Card Data Breaches and Why You Should Be Concerned

As FishNet Security's Incident Management team handled credit card data breaches, PFIs and other response engagements in 2013, they observed a rise in...

See Details

February 19, 2010

Mitigate Risk, Prevent Attacks | Optiv

Yesterday, the Wall Street Journal published an article by Siobhan Gorman about hackers in Europe and China who successfully broke into computers at 2...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.