CBS 58 Investigates: Medical Identity Theft
MILWAUKEE (CBS 58) -- CBS 58 Investigates found in just one year's time, the amount of sensitive medical records being exposed by hackers have more than tripled in the country. Experts say that number will only continue to increase.
In 2018, there were 372 data breaches exposing 10,654,928 sensitive records, and by September of 2019, 368 data breaches exposing 36,393,338 sensitive records have occurred.
Hackers are especially interested in medical records because it has more information than your bank records. Medical records contain not only your personal information but also your insurance or medicare information, and of course, your medical history.
Hackers who get hold of your information can open up accounts or commit fraud on your health insurance. While scary, CBS 58 Investigates found it's even more terrifying to know they can mess with your physical health.
"Let’s say they’re utilizing it to get services for a cardiac problem and you don’t have a cardiac problem, you may start to see those things populating on your health record and your physicians may be looking at that. They may seek a different course of treatment for you that may not be the right treatment," said Charity Lacey, Vice President of Communications at the Identity Theft Resource Center.
CBS 58 Investigates discovered your medical record could be worth $20,000 -- as much as a brand new car. That's how much some are being sold for now on the dark web, which means it's about 10 times more valuable than a regular identity theft record.
"A traditional identity theft record probably sells for $2,000 on the open market," said Josh Moore, a solutions architect for Information Technology Professionals.
But why is it worth so much more?
"They have so much more rich data in them. They’re getting more access to information per breach," said Lacey.
Hackers are creative. CBS 58 Investigates learned they'll attack through emails and even hack your voicemail and listen to them for months before making a move.
"They're actually able to do voice replication and act as if they're an executive -- even a phone call," Moore said.
Milwaukee is unique because it's home to large and small health care systems, and while both are at risk, experts say larger hospitals may have a better handle on hackers.
"The large health systems for the most part have very robust compliance programs and compliance departments that are staffed with a lot of people that can stay on top of it, whereas your smaller providers may not have the resources or capacity," said Barbara Zabawa, clinical assistant professor with the Department of Health Informatics and Administration and also co-director Master of Healthcare Administration program at the University of Wisconsin-Milwaukee.
CBS 58 Investigates did some digging and found the U.S. Office of Civil Rights is currently investigating 15 health information breaches in Wisconsin. Each case on the list affects anywhere from 500 to more than 250,000 people.
After taking a closer look, CBS 58 Investigates found the Medical College of Wisconsin here in Milwaukee is on that list -- among others as part of the Froedtert Health Network.
In a full statement, the network tells CBS 58:
The Froedtert & the Medical College of Wisconsin health network is committed to providing exceptional health care services to the communities that we serve. Annually, privacy training is held for every employee, volunteer, student, business associate or any other person acting within their designated role to maintain our obligation to uphold our high confidentiality and ethical standards and to comply with all federal and state regulations in protecting health information.
Whether patients are visiting clinics, emergency rooms or hospital locations, know that we continuously work hard to preserve the security and privacy of everyone’s confidential information. We have physical and electronic safeguards in place to protect patient information, and are continually implementing new technologies in order to maintain the high level of care and service that our patients expect and deserve.
The information you share at one hospital could be spread through a network, and while the Health Insurance Portability and Accountability Act (HIPAA) require these places to protect electronic records, your information is still not 100-percent safe.
“When you read those rules of HIPAA regulations, there’s room for interpretation, and a lot of times health care organizations want to do what’s most financially reasonable," Moore said.
So what should you do? CBS 58 Investigates found most of the time, your Social Security and driver's license information isn't needed when filling out health forms.
”Back 10 to 15 years ago your social security number was an important component in order to receive services because it was tied to your insurance or to your medicare, but that’s not the case anymore," Lacey said.
Lacey says people have to remember to be vigilant and not be afraid to ask the hard questions before giving out information.
"If you ask the question, why do you need my Social Security number? Why do you need my driver’s license and it’s not in keeping with what you understand the service is that they’re providing, don’t provide it," said Lacey.
Moore says it's important health care providers invest in electronic data security because it could cost them one day. Fixing the damage from a breach could cost $500 per patient.
In a health care system that may have upwards of 50,000 patient records, that's a whopping $25 million.