Credit card data isn't quite the mother lode it once was for cyber thieves. Not only is its useful life generally brief, it also isn't worth as much as it used to be.
But cyber criminals are, among other things, adaptable. As Daniel Berger, CEO of Redspin puts it, "hackers are bad guys but good economists." So they simply turn to something that provides a bigger bang for the buck.
And that, increasingly, is the data you voluntarily turn over to doctors, hospitals and health insurers, known as PHI, or Personal Health Information.
The Identity Theft Resource Center reported in January that of reported breaches, the healthcare sector had the most for three years in a row, with 42.5 percent of the total in 2014.
According to multiple reports, the PHI of nearly 120 million Americans has been compromised since the 2009 Breach Notification Rule took effect as part of the federal Health Information Technology for Economic and Clinical Health (HITECH) Act.
The large majority of those 80 million are from a single breach, of health insurance giant Anthem in January of this year. But there have been others in the millions: Community Health Systems reported 4.5 million records compromised from April to June 2014, and Premera Blue Cross reported this past March on a breach of 11 million records.
The most obvious reason is that it is more valuable. The Associated Press reported earlier this year that medical data fetch up to10 times the price that stolen credit cards do in cyber crime marketplaces, for a number of reasons:
- A credit card can be quickly canceled and replaced. PHI your name, age, gender, address, Social Security number, diagnosis codes, insurance information and personal medical history can't be changed.
- Credit card data are basically good only for retail purchases. But PHI can be used to create fake IDs to buy medical equipment or drugs and to file fraudulent insurance claims.
"A stolen credit card number may help a person net a few thousand in fraudulent charges," said Christopher Frenz, director of IT infrastructure at Interfaith Medical Center, "but a stolen insurance identity could net someone a heart bypass costing in the hundreds of thousands."
Such detailed personal data can make targeted email or spear phishing attacks easier and more effective. And intimate, private and potentially embarrassing medical information could be used for espionage or blackmail.
It is "rich data," in the words of Morris Panner, CEO of DICOM Grid. "Physicians want to treat the whole person, and that means having a lot of data," he said. "Then add all the credit and insurance information necessary for billing and reimbursement."
Sign up for Computerworld eNewsletters.