Understand how we got here — and how to move forward.


March 1, 2019

What hackers actually do with your stolen medical records

Daily Briefing

    Read Advisory Board's take: How can you protect your organization from data breaches?

    Each year, hackers steal thousands of medical records from hospitals and health organizations, and many of those records eventually end up being sold on the darknet for thousands of dollars. Here's what buyers are doing with these stolen records and—how it impacts the victims.

    Why hackers love medical records

    Last year, HHS' Office of Inspector General investigated nearly 400 reports of medical data breaches. Cybersecurity firm Protenus tracked just 222 health care data hackings in 2018—and said that figure was up 25% since 2017. 

    Gary Cantrell, head of investigations at the HHS Office of Inspector General, said hackers tend to steal medical records because they are like "a treasure trove of all this information about you." They contain a patient's full name, address history, financial information, and social security numbers—which is enough information for hackers to take out a loan or set up a line of credit under patients' names, according to Computerworld.

    Hackers also hone in on medical records because hospitals and health care organizations are often easy to hack, Reuters reports. "Hospitals have low security," according to cybersecurity expert Dave Kennedy, "so it's relatively easy for these hackers to get a large amount of personal data for medical fraud."

    How hackers sell medical records on the darknet

    But once hackers get their hands on a medical file, what do they actually do with it?

    It depends, according to Cantrell. "Sometimes they're compromising this data and we don't know how it's being used, when or if it will be used to compromise those individuals' identities," he said.

    But increasingly, hackers are selling the information for profit on the black market. According to Reuters, buyers might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false insurance claim.

    It took cybersecurity expert Gary Miliefsky only seconds to find stolen health records online. According to CBS News, one individual was selling children's health records stolen from a pediatrician between 2000 and 2014 under the name "USA KIDS FULLZ."

    And the records can carry hefty price tags, CBS News reports. According to Experian, a patient's full medical records can sell for up to $1,000. By comparison, Social Security numbers and credit card information usually sell for $1 and up to $110, respectively.

    In some cases, hackers go to extreme lengths to get money for the records as quickly as possible, Computerworld reports. One hacker, who went by "thedarkeroverlord," was selling 655,000 medical records stolen from three health care organizations for almost $700,000 on the darknet. But after the case gained notoriety, the hacker tried instead to ransom the unsold records back to the health care organizations.

    What happens to the patients

    And what happens to patients whose identities are stolen? According to Brandon Reagin, a victim of medical record theft, it's a "mess."

    Reagin's identity was stolen in 2004. The person who accessed Reagin's personal information used it to steal cars and rack up $20,000 worth of medical procedures.

    Reagin said he was able to get the charges scrubbed from his credit report, "until the next billing cycle." Then the process would start all over again. "It was quite a tumultuous decade of a mess," he said.

    The person who stole Reagin's identity served time in prison. But 15 years later, Reagin said he still hasn't been able to undo all of the damage—including to the integrity of his own medical files.

    "That hospital may still have his information, his blood type under my name at that hospital," Reagin said. "It's a little weird to think" (CBS News, 2/14; Humer/Finkle, Reuters, 9/24/14; Yao, Forbes, 4/14/17; Storm, Computerworld, 6/27/16)

    Advisory Board's take

    Allyson Vicars

    Allyson Vicars, Consultant, Health Care IT Advisor

    The fact that health care hackings are becoming more common is quite concerning and reinforces the urgent need for health care organizations to continue maturing and expanding their cybersecurity programs. As an industry, we have made strides in the past couple of years improving our technological stance and security processes, but as the figures and stories cited in this story show, the cyber threats we face are growing in sophistication and magnitude and becoming more difficult to combat.

    “These breaches and related incidents can have devastating consequences for health care organizations”

    While hacks of providers only account for around 21% of total breached records in the health care industry, these breaches and related incidents can have devastating consequences for health care organizations. Not only is the immediate clean-up expensive to address, but class action lawsuits are now commonplace following a breach. And certain incidents, like ransomware, can halt clinical activity for hours and even days, which can continue to reverberate long after the attack. As a result, every health care organization needs to have a strong strategy in place to mitigate cyber risk.

    You can’t eliminate cyber risk completely. Rather, the most progressive organizations have a well-funded and widely-supported security program that matches their specific organizational culture and operational needs and ultimately is aimed at mitigating risk down to an acceptable level (as set by the board of directors). And this isn't just about having the best technology. A strong cybersecurity strategy requires inclusive governance, clearly defined and enforced policies as well as continued education and process implementation across all areas of the enterprise.

    Executives need to play a crucial role in this strategy. While the chief information officer (CIO) and chief information security officer (CISO) will be critical partners, they can't be left to lead the charge all on their own. For example:

    • The board can ensure mechanisms in place to track security status and progress;
    • The CEO can include cybersecurity in due diligence of any M&A or partnership activity;
    • The CMO and CNO can make the clinical voice heard in the organization's security governance;
    • The CFO can ensure funding requests for security tools and services are vetted against a security strategy and roadmap;
    • The COO can ensure business continuity plans are in place, tested, and work well across all shifts; and
    • The CHRO can ensure the security team has the necessary staff to operationalize its security strategy.

    Want to learn more about what you should be doing in your role? Check out our new cybersecurity cheat sheet series which outline what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.

    Access the Cheat Sheet Series

    Learn more: How can your organization bolster its cybersecurity?

    Download our infographic to explore the ecosystem of preparation efforts required for cyber resilience, key actions for IT leaders, and top lessons for non-IT leaders.

    Download Now

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.