College of Law > Academics > Centers, Institutes & Initiatives > Mary and Michael Jaharis Health Law Institute > e-Pulse Blog > health-care-data-breaches-online-world

Health Care Data Breaches in an Online World

Recent technological developments make information accessible with a few simple keystrokes. However, with simplified access to information come loopholes that can put people’s personal and protected information in the wrong hands. In recent years, there has been a surge of health data becoming available on the black market.

Approximately 300 disclosures of large healthcare data breaches have taken place in the past two years. The Department of Health and Human Services has been keeping record of these hacks in an effort to prevent and mitigate these types of cyber attacks. Surprisingly, the value of health information is worth about 10 times more​ than credit card information to buyers on the black market. Credit card information has been sold for $1 or less in the past, whereas health data information has been sold for as much as $500. The more valuable information also creates a more detrimental impact on the victims of these health data breaches. This has become such a widespread issue facing Americans that President Obama hosted a cybersecurity summit in order to discuss possible ways to protect consumers online from hacks and data breaches. One such breach involved Anthem Inc., the second largest health insurer, in which approximately 80 million Americans across the country had their Social Security numbers, birth dates, addresses, incomes, and other personal information compromised by hackers. The sheer number of people impacted by these hacks is alarming. This data can be used by the hackers to create fake IDs to purchase medical equipment, prescription drugs that be resold, or to file false claims with insurers by combining a patient number with a false provider number. In addition, the websites are not searchable, the health data being sold on these websites is searchable on Somalian or Russian websites. Even the websites themselves are not in English, but rather in Mandarin, German, Vietnamese and other languages.

The key difference between medical identity theft and credit card theft is that medical data theft is not as easy to identify. Many do not realize they are even victims until unpaid medical bills are sent to debt collectors​, who then trace the health data information to the rightful owner. Another issue is the fact that health data is much more difficult to change, compared to credit card information. With a simple phone call and the answering of security questions, credit cards can be canceled, and a new credit card will be received in only a few days. Health data information is more difficult to replace, as it contains medical history, Social Security numbers, and other vital information to a person’s health identity. Hospitals have relatively low security, making it much easier for hackers to obtain data from those sources. Some insurers have installed consumer identity theft protection within their databases. However, a time limit has been applied to these identity theft barriers within the health systems. Since the United States and Europe are moving toward a more online presence to store their health data, this information is becoming more available for hackers. As health data companies move toward a more online approach, steps need to be taken to protect this vital information by encrypting the material instead of relying entirely on walls to protect the information.

Kate Reynolds is currently a 2L at DePaul University College of Law and is the Spotlight Staff Member for the E-Pulse. Ms. Reynolds completed her undergraduate degree at the University of Illinois Springfield. Ms. Reynolds hopes to work in Health Law after graduation.