The Stimulus Act Started a Cyber Crime Wave of Medical Data Theft

Cyber criminals are coming after your medical data and you can blame Congress for that.

Six years after the American Recovery and Reinvestment Act of 2009 opened the floodgates to digitized medical records, so-called “protected health information” is now the most precious commodity in pilfered consumer data—fetching up to 10 times the price of a stolen credit card number on the “dark Web.”

A report from International Data Corporation this month forecasts that 1 in 3 consumers will have their health data compromised next year due to weak cybersecurity.

In May, the Ponemon Institute found that criminal attacks on health-care organizations are up 125 percent since 2010. And according to a survey of health care technology professionals released in August by KPMG, 81 percent of medical organizations have been targeted by a cyberattack or malicious software—with more than 1 in 10 acknowledging two or more attacks per week.

In its monthly disclosure report for November the Department of Veterans Affairs revealed that out of 693 individual records breaches, 616 involved personal health information. While many of these are attributed to employee negligence, the agency reported that it blocked more than 178 million attempts to breach its networks last month.

It’s not that thieves are only now recognizing the value of consumer medical data. Rather, they are targeting a prize that was largely unavailable to them until Congress put it within their reach.

The Health Information Technology for Economic and Clinical Health (HITECH) Act—a component of President Obama’s economic stimulus package—included billions of dollars to support the migration of static, paper-based medical records into electronic databases. Using the tagline “Go Paperless and Get Paid,” the Centers for Medicare & Medicaid Services has shelled out more than $30 billion to date in subsidies to promote the adoption of Electronic Health Records (EHR).

Starting this year, Medicare-eligible providers who aren’t “meaningful users” of electronic medical records will begin facing penalties.

Without a corresponding push to compel investments in security, however, the majority of medical providers incorporated EHR into legacy systems that lacked the technology required to protect it. This created an open pathway for thieves who once would have faced a lock door.

Last month, Donald Good—deputy assistant director of cyberintelligence and outreach at the FBI—told a gathering of health-care IT professionals in Washington, D.C., that the industry has yet to reconcile the limitations of legacy IT, even as it makes the leap to next-generation mobile devices.

“For a number of years, folks I think realized there was a threat out there, but it wasn’t as pervasive as it is today,” Good said.

A top-level IT manager at a major university health system in the Northeast told me recently that his organization is just now in the process of locking down patient data.

“We never lost any data so no one thought it was a problem,” he said, requesting anonymity on the grounds he could lose his job for speaking out. “The level of vulnerability is astounding.”

The majority of health-care providers share that same pessimism. According to a survey released this month by the company Privacy Analytics, more than two-thirds of health-care organizations lack confidence in their ability to protect patient data.

While Obama’s stimulus package has been a favored whipping boy for conservative lawmakers, the push to digitize patient records was a bipartisan effort—aided by strong lobbying by the health IT sector.

The division of the Department of Human Services tasked with overseeing health-care technology investments was created by executive order by George W. Bush. Newt Gingrich said digitizing health records was one of only “two good things” to come out of the stimulus package (the other was the increase in Medicaid funding provided in the bill).

Charlie Sheen’s recent admission that he paid out $10 million to blackmailers threatening to expose his HIV status shows how profitable the medical records of even one person can be, but the real value of medical data can be traced to America’s bloated health-care system.

Though many patient records contain personal identifiers like Social Security numbers and addresses, the Holy Grail for data thieves comes in the form of medical identification numbers that can be used to facilitate insurance fraud. According to one report, a single Medicare number can list for $500 on the black market. In some cases these numbers are used to bill for drugs and medical equipment that are then resold.

Occasionally—like the February 2015 breach at health insurer Anthem Inc., and the hacking over the summer of UCLA Health—these thefts are massive heists become national news, but far more often breach victims are counted in the low-thousands or even the hundreds and escape the attention of anyone not directly impacted.

It’s little wonder, then, that most Americans are unaware of the threat.

“The public’s lack of awareness of their potential exposure to this is troubling,” said Tina Stewart, a marketing executive at Vormetric. Her company released a study in October that found consumers are overwhelmingly concerned about the safety of their financial data even though it accounts for a fraction of exposed records and cumulative losses.

Under existing federal law, companies are required to adopt policies and practices to protect patient data; but the rules don’t specify how to do that, and sanctions are applied on the backend after the damage has already been done. Many health-care organizations making the shift to EHR after 2009 calculated (correctly) that the cost of noncompliance would be less than investing in necessary security upgrades.

In 2013 the Obama administration increased the maximum penalty for noncompliance to $1.5 million per violation.

But sanctions have been rarely applied. A ProPublica investigation this year found that the Department of Health and Human Services department responsible for enforcing data security, the Office for Civil Rights (OCR), has fined health-care organizations just 22 times between 2009 and 2014—a span of time that saw more than 1,140 breaches.

That doesn’t mean the industry isn’t paying in other ways. Analysts say that health-care providers pay an average of $398 per exposed record to respond to a data breach, more than any other sector. This includes the cost of investigating breaches and notifying customers, as well as legal fees and the financial fallout of customer defections. It’s estimated that breaches added roughly $6 billion in costs last year to a health-care system that is already the world’s most expensive.

This financial burden is shared by consumers: Unlike credit card identity theft, where the card provider generally has a legal responsibility for account holders’ losses above $50, victims of medical identity theft often have no automatic right to recover their losses. This forces two-thirds of breach victims to shell out personal money to resolve the issue, with the average costs exceeding $13,000.

Large health technology providers like Epic Systems (the source of an October exposé published by Mother Jones) have reaped windfalls from federal EHR incentives. Yet there’s evidence that the move to electronic records has not only failed to improve efficiency, it’s had the reverse effect. Many doctors report being dissatisfied with their EHR systems, which they say has actually made record-keeping more complicated.

The Center for Public Integrity found a connection between electronic health records and Medicare over-billing, and a lack of interoperability between systems means there’s a good chance the data collected by your primary care physician will be inarticulable by the software used by the specialist he refers you to.

Federal auditors have accused EHR systems vendors of exploiting this weakness to charge kickbacks for records access. In September nearly two-dozen medical groups, including the American Medical Association, called on the Centers for Medicare & Medicaid Services to delay the final phase of the EHR incentive program until the problem can be rectified.

Yet two-thirds of these vendors lack formal third-party security certification. Absent from the discussion is how to ensure the many entities that tap into larger digitized record stores are capable of protecting the information they find there.