Sunday, July 30, 2017

CPA Data Breach

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

When your CPA is hacked, it could be the start of a nightmare, unlike any crime you may have experienced.  Weak Indiana data breach regulations do not help. 

CPA firms hold your most important financial information – everything needed to steal your identity and loot your financial assets. 

Some of the most important is your tax records, dependent information, addresses, dates of birth, employer, investment custodians, Social Security numbers, telephone number, email addresses, etc.  If the CPA also handles your investments and insurance, they will have your medical information.

CPA firm, Whitinger & Company, realized that they had suffered a data breach on April 12, 2017.  According to one of their clients, they waited until July 18, 2017, to notify him.  That gave the fraudsters over three months head start before the victim (the CPA’s clients) could defend themselves. 

The data breach also delayed the filing of this client’s taxes because Whitinger & Company computer was locked by the fraudsters just before they attempted a ransom demand.  Did Whitinger pay the ransom?  We do not know.

I’m helping a Whitinger client sort all this out. 

Below is a potential CPA ransomware sequence of events.  We do not know if this is what happened at Whitinger.  We have learned this hypothetical sequence from studying other data breach events and helping clients recover from identity theft.

  1. Fraudster hacks CPA.
  2. Information found on CPA’s computers is copied: tax returns, client correspondence, emails, firm's financial data, client investment data,  etc.  (many CPAs today sell insurance and investments.)
  3. Hackers analyze CPA’s data – they are looking for “whales” (high net worth, pension & large savings acts).  They can identify whales by sorting through a tax return and investment records. 
  4. Hacker also look for older account holders because they often have money and are easy prey.
  5. Hacker next decides to sell data on dark net or farm data themselves.  They have time to decide because the CPA victim firm most often is unaware that they have been hacked.
  6. If the hackers decide to farm the data, they often send Whales & older targets email with an infected attachment.  They can use the CPA email system or clone one that looks exactly like the CPA’s email.
  7.  Once received, the unsuspecting clients click on the link assumed to have been sent them by their trusted CPA and Infect their computers.  The hacker wants access to the passwords you keep on your computer.
  8. The hackers next step loot investment accounts.  The victim often cannot connect their loss with the CPA’s being hacked.
  9. Whale & other victims cannot prove the cause of their loss.  It could have been caused by their own weak security and stupidity. 
  10. The hackers then lock CPA computer. This prevents the CPA from processing tax returns and conduct business.
  11. The hackers send the CPA a ransomware demand.  They are unaware they have a problem until their computer is locked down and they receive a ransom demand.  Do they pay or try to restore their system with outside help? 
  12. If they pay, the fraudsters collect ransomware and unlock CPA.  As part of the deal, CPA agrees to be a reference to other victims and maybe even suggest other CPAs that might have weak security.
  13. By the time the CPA clients have received the legally required notice, the damage may have already been done. 

We do not know if any of these steps were taken against Whitinger & company clients.  All we have is the report of the breach, a copy of the letter about the breach from Whitinger to its clients, and the frustration and concern of one of their clients.  

Here is a summary report of the breach from my reporting service:

CPA firms are not regulated under cyber compliance umbrella laws such as HIPAA, PCI, etc. Therefore, they have a lower legal requirement to protect their client’s data.  Indiana breach regulations are relatively weak, and the fines are small.  Affected clients deserve more.


Wednesday, July 5, 2017

You’ve Been Hacked Red Flags

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Sometimes it takes years – yes years – to realize that you have been hacked and your identity is being used without your permission.  This is especially true with the most insidious form of ID theft: “synthetic identity theft.”  One-third of Social Security numbers are being used by more than one person. 

As you read this, your Social Security number may be used illegally by another person and you do not realize it. 

 Here is a short list of ID theft red flags:

  •  No mail in your mail box for two or more regular delivery days
  • ·       You are having problems with a spouse or member of your household
  • ·        You are a victim of domestic violence, stalking or cyber bullying
  • ·        You receive notice that you have changed your address
  • ·        Someone close to you had their ID stolen
  • ·        Errors on your medical “explanation of benefits” (EOBs)
  • ·        A vendor you do business with has a data breach
  • ·        Suspicious mail arrives for your minor child
  • ·        Bogus charges on your credit card or bank statement
  • ·        Errors in your credit file
  • ·        You’ve been traveling – especially in another country
  • ·        Collection notices arrive
  • ·        Credit cards arrive that you did not order
  • ·        Strange credit card statement arrives in the mail

The weakest link in your identity security is your smart phone.  Also, most businesses provide more security for their toilet paper than your personal identifiable information. 

If your group needs someone to speak about these issues and how to reduce the risk of identity theft, contact me.  


Thursday, June 22, 2017

Elder lawyer in estate misappropriation case receives 8-year sentence

By Greg Wright
Certified Fraud Examiner

Certified Financial Planner™

Stephen Schuyler Mug Shot
My article about attorney Stephen Schuyler dated March 2, 2016 concerned the estate of Sarah Wilding.  Today, following his guilty plea, former elder law attorney Schuyler was sentenced to eight years in prison in connection with the misappropriation of funds from Ms. Wilding’s and five other estates totaling more than $700,000.

Below is a reprint of my 2016 article:

Sarah Wilding trusted her attorney to give the remainder of her estate to her church’s building fund.  Elder attorney, Stephen W. Schuyler had other uses for the money.  Only recently, it finally came to light that Schuyler had over-charged and diverted as much as $500,000 from some of the 130 estate cases he was administering.

East Lynn Christian Church is a small Anderson Indiana church.  Following Sarah Wilding’s death on April 20, 2012, Schuyler paid her final expenses and distributed funds and assets to her named beneficiaries.  That was the plan.  The remainder, $145,003, was to go to the church building fund toward paying off the 2005 sanctuary expansion. 

The church was aware that Sarah had made a final gift to them, and they sought payment from Schuyler.  He stalled and requested the court approve yet another payment for additional attorney fees.  Undeterred, the church pressed him to close the estate and pay them.  Schuyler’s check bounced.

Finally, the police and prosecutor investigated.  They ascertained that, in addition to Wilding, other estates had been looted.  They identified four other estates specifically, and 130 unsettled estates that were eventually assigned to other attorneys.

The East Lynn Christian Church filed a civil complaint against Schuyler and his girlfriend, Kem Golden, for conversion of $164,101 from the Wilding estate. In addition to the civil complaints,

Charges have been made that involve the estate of Frances Clem from 2010 to 2014 of $156,790. Other victims may include other churches, and the local Humane Society. 

Unsurprisingly, Schuyler’s law license was suspended indefinitely, and he is facing 13 felony counts. 

Since supervision may be lax or even non-existent, there are probably similar cases in other communities that have simply not been reported.  The deceased had counted on a trusted attorney to carry out their final requests and not to loot the estate.  But, the lawyer treated the estate assets like his personal piggy bank.

Inheritance hijacking is not that rare.  Thieves who target the elderly and the dead are cunning and patient.  The vulnerable elderly within us are perfect targets – 20 percent are victims.

Strongly consider not waive the requirements that executors be bonded, as many attorneys suggest.  Consider not giving your attorney authority to be your executor.

Thursday, June 15, 2017

Identity theft of deceased loved one

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

If your mother died, and her identity was stolen after she died and before she was in the ground, it could cause serious problems.  If you are the executor and responsible for fixing this mess, your brother and sister may blame you and hold you responsible.

Not only is identity theft an increasing problem for the living, but, recently, there have been numerous reports about criminals who specialize stealing the identities of the recently deceased. 

Crooks are not only cleaning out the homes of the deceased while loved ones are at the funeral, now they are stealing their financial assets as well.

The dearly departed are vulnerable to identity theft because the family is in mourning and not paying attention to the deceased person’s finances.   

Few financial planners, funeral directors or estate attorneys are familiar with the problem.  Few estate executors have sufficient financial experience themselves or seasoned advisors to help them avoid this problem.

Identity theft is probably the last thing on your mind when a loved one dies.  Both my wife and I have been the executor of our mother’s estates and understood these issues.  There are a few simple things you can do to discourage identity thieves and to minimize the chances that a recently deceased relative's estate will be victimized.

When a person dies, it can take several months for all three credit reporting agencies to be notified.  Between the date of death and the notification, fraudsters have an opportunity to steal.  Once you have a death certificate, do not assume that the credit agencies know.  You should notify them yourself - ASAP.

Also, send official copies of the death certificate — not photocopies — to all entities where your loved one had a financial relationship. I suggest that you contact each creditor, each insurance company, each bank, brokerage house, the Social Security Administration and any pension issuer.

Look for suspicious activities in the months that follow.  Pull a credit report of the deceased and purchase a credit monitoring service for a year following death. 

If you are faced with this unfortunate and untimely situation, contact me for further help.  

Monday, June 5, 2017

Protecting your investment and insurance accounts

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Identity fraudsters look for the big score. 

Using your credit card to buy high-end stuff is okay and can support a drug habit or improve a standard of living.  However, they are looking for the big score. 

 Their objective is to steal your “serious” money -- your retirement accounts and insurance cash values. 

 How secure are those assets?

As you probably know, your personally identifiable information (PII) is easily obtainable and can be purchased in bulk on the internet.  It is often stolen as a result of a data breach, or used by a dishonest employee at a company where you conduct business.  

Fraudsters can use this information to make credit card purchases.  Most of us have had someone make unauthorized purchases using our credit card.  By comparison, these are pretty benign and usually easy to reverse.   More difficult to fix is when new credit accounts are established and statements are mailed to the fraudster’s mail drop. 

Still, these types of identity theft are survivable if they are caught in time.  It might take as long as three years to clear them up and you will forever be explaining to employers, insurers, banks, etc. that you were a victim of identity theft.   

But, if the crook is using a form of “synthetic identity theft” and goes on for a long time, it will change your life as you know it.  It will not be pretty.

I give free seminars to help individuals and small businesses avoid these problems.

Fraudsters look for the big score.  So, once a fraudster has your PII’s (your's is out there already), how do you protect your serious money?  You should ask some tough questions about your investment and insurance company that is keeping and investing your serious money.  Be direct and do not accept evasion to your direct questions.  Here are a few areas of concern:

Security questions and answers
Answers to your security questions often are found on your Facebook and other social media pages. Don’t celebrate your birthday on social media.  Knowing your date of birth is a key step in stealing your ID.  If they want your mother’s maiden name, invent one.  This security is so lame; I would suggest that you consider doing business elsewhere. 
Username and password requirements
If your username is your email address, your password can easily be cracked.  Software is available to crack passwords.  Cheap! Google search the topic yourself.
Secure email
How secure is the investment or insurance firm’s email?
Customer verification
How do they verify your ID? 
Address change
Who has the authority to change your address?  What is the process?  By the way, if you fail to receive US mail for more than two days, contact the Postal Inspector to find out why.  Forwarding your mail is often the first step in identity fraud. 
Your agent or stockbroker
Does he/she have authority to change your address, make distributions, etc?  Did you check his/her background?  Attend one of my “Is your investment advisor a crook” seminars and find out.
Systems surveillance
Are they “really” on the lookout for suspicious irregularities across all their accounts every day, all day. Will they promptly alert you promptly if they spot a problem that could affect you?  How long did Yahoo wait to notify customers of their data breach?  Wasn’t that over a year?
Fraud detection
Will they monitor your accounts for suspicious transactions and unusual behavior to ensure that they are authentic and legitimate?
Security at our branches and offices
How secure is your agent or stockbroker's records?  Who has access to your stuff?  Could your identity be stolen if someone had a copy of an insurance or investment account application?
Restricted access to data
Does the insurance or investment company limit access to systems containing customer data to only those employees who need it to conduct business? We continually monitor access and only grant it to new people on a case-by-case basis. How was it possible for a Fishers, Indiana insurance agent to steal the identity of 3,000 of his employer’s customers?

Friday, May 19, 2017

Fake News & Yellow Journalism

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

“Fake News” was responsible for the Spanish-American War when American journalists fabricated atrocities which justified the US invasion of Cuba.  Historians agree that war was caused by what was then called “Yellow Journalism.”  At the heart of the era's newspapers’ propaganda were publishers Joseph Pulitzer (yes, that Pulitzer) and William Randolph Hearst.

Yellow journalism has been defined as journalism that features scandal-mongering, sensationalism, or other unethical or unprofessional practices by news media and individual journalists.   Today it is simply called Fake News. 

In 1901 separate newspaper articles, months apart suggested the assassination of President William McKinley. When McKinley was shot on September 6, 1901, critics accused journalists of driving assassin Leon Czolgosz  to kill the President of the United States.  The public made such an outcry that fake news and other offenses had to be addressed.   Joseph Pulitzer was haunted by his “yellow journalism” sins to the extent that it is believed that it led to his founding of the Pulitzer awards.

Perhaps as another response to “yellow journalism,” a few years later, students at DePauw University, a Methodist Church institution, founded Sigma Delta Chi journalistic fraternity.  This organization was based on the support of an honest and honorable press and was the forerunner of the Society of Professional Journalists (SPJ). 

Today, journalists find themselves – again -- accused of Yellow Journalism.  This is unfortunate for all of us. 

According to Gallup, Harvard, and others, in the minds of Americans, journalism has sunk to new lows not seen within living memory – perhaps since the 1880s’ Yellow Journalism. 

Only eight percent of Americans have a “great deal” of confidence in newspaper and television news according to Gallup.  Further, a May 18, 2017, Harvard University study illustrated that the tone of the press is decidedly “negative.”  Read the Harvard article and Gallup report for more details about press bias.

Several days ago, I became disgusted with a “news” article authored by a local reporter and published in a local news outlet.   Moreover, I was motivated to voice my complaint in the form of a formal written ethics complaint.  Yes, the Society of Professional Journalism has a “Code of Ethics.”  However, after I looked and looked for an internet link or address so that I could file an ethics complaint, I could not find one.  Nope. 

Both of my professional organizations have Codes of Ethics and will process and judge a complaint about one of its members.  If that member is found to have violated that code, he/she could have their membership suspended, or terminated.  Accountants, lawyers, engineers, and even meteorologists allow the public to submit ethics complaints.  Organizations protect their reputations by expelling those that violate their rules. 

An investigative journalist friend and a member of the SPJ Board of Directors (maybe she will de-friend me after she reads this article) said that there was no mechanism that would allow me to file a code of conduct complaint with the SPJ.  I said that this was like having a gun; but, no bullets.  It was like having speed limits; and, no traffic cops.  She did not disagree.

Next, I went to the head person and contacted the Society of Professional
Journalists’ Executive Director, Mr. Joe Skeel.  After a few days, he responded, “You are right that our Code of Ethics isn’t enforceable.”  Further, he said that “The reason we can’t enforce our Code is because (sic) doing so would violate Free Speech protections under the First Amendment.”  What??

Are we to believe that the U.S. Constitution prohibits journalists from enforcing their own Code of Ethics?  What deceptive nonsense.  Shame on the Joe Skeel and shame on the SPJ. 

The SPJ clearly does not have a Code of Ethics.  The Society of Professional Journalists has a list of unenforceable suggestions.  Are they hiding behind the First Amendment?  Is this partly the cause of the small percentage of Americans that trust the press? 


Monday, May 15, 2017

Ex-lover & ID theft

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

There is a thin line between love and hate. 

Scientists have an explanation.  Brain scans of people shown images of individuals they hated were similar to brain activity activated by individuals they love.  Love and hate appear to be controlled by the same section of the brain.  Therefore, when you no longer love a person, it is psychologically easy to shift into “hate” mode.  

Perhaps that has led to the popularity of “revenge” books and internet sites.

The mother of all revenge sources may have first been sold by the Paladin Press.  Named after that old TV Emmy-nominated show “Have Gun, Will Travel.”  Perhaps their long-time, best selling famous book was “Get Even – the complete book of 200 dirty tricks.”  First published in 1980.  The publisher’s current popular book is the “Revenge Encyclopedia.”

However, with the use of the internet, it may be easier to carry out revenge strategies today than in 1980.  Paladin’s dirty tricks have been amplified by the internet.  Today, it is even easier to get even and even remain anonymous.  Just Google “revenge”  to find out.  Maybe visit the dark net for even dirtier tricks.

Revenge porn.  The term "revenge porn" refers to the uploading to the internet sexually explicit material to humiliate an individual, who has broken off the relationship.  Illegal in most jurisdictions. The explicit images may be accompanied by the identity of the pictured individual, home address, and can even include links to their social media site, and employer.  The images can expose victims to professional ridicule.     

In addition to intimate details, former spouses and love interests may have had access to personal and financial information.  Often, lots of information.  Business and personal identifiable information (PII).  Tax information. Enough information to easily allow the misuse your identity.  It’s bad enough to post pornographic pictures of a former lover or spouse.  Some actors are more focused on revenge than avoiding breaking the law.

If you were in a relationship that went bad, take inventory.  Did he/she have access to your tax and business records? 

Take defensive action.

Google your name and picture.  Find out if someone else is using your Social Security number.  Has he/she arranged "synthetic ID theft" of your Social Security number?  Monitor social media using your name and business name. Check your credit for suspicious activities. 

If things don’t seem “right” or if the relationship was especially messy, contact an ID theft prevention and victim advisor. 


Tuesday, March 14, 2017

When synthetic identity theft meets the Medical Insurance Bureau

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Synthetic identity theft has become the predominate form of U.S. identity theft.  When this growing fraud meets your medical records, it could impact both your pocketbook and your health.   It could even harm your health.

Most of us think that identity theft is when someone uses our Social Security number, name and date of birth to get a credit card, borrow money or buy things.  The cost, time and pain associated with correcting this fraud may be painful.  However, synthetic identity theft may be worse. 

Synthetic identity theft is when a fraudster uses your Social Security number and a different name and even a different date of birth.  This type of fraud can continue for years and even decades without your knowledge.

In my lectures on fraud, I call synthetic identity theft an “electronic home invasion.” 

Synthetic identity theft can result in what’s known as a fragmented credit file.  When an identity thief uses a real Social Security number and a different name, it’s possible for the synthesized identity to become associated with the real credit file under the same Social Security number.

The same thing may happen with your medical records file. The medical information exchange organization may not know which is real and which is synthetic.  Hospital records too.  Ouch.

Often the fraudster – say an illegal immigrant -- uses your Social Security number to get a job and then signed up for employer-sponsored medical insurance. 

Following an illness or surgery, the medical diagnoses information may be transferred by the insurance company to the MIB Group (formerly known as the Medical Insurance Bureau). The MIB Group Inc. is an insurance "information exchange" organization founded in 1902 that is not unlike a consumer rating agency (e.g. Experian). 

The MIB receives consumer medical information from insurers that might impact health, long-term care, life, and other insurance underwriting. Insurers use the information to decide if they will cover you and issue health or life policies on you, and how much you should pay.

Similarly to consumer credit files, medically related account numbers may be associated with that file due to partial matching. In this way, the consequences of synthetic identity theft can be a lot more challenging to alleviate than those of true name identity theft.

While people who experience true name identity theft can have false or unauthorized credit accounts tied to their credit reports; synthetic identity theft victims can have entire identities (credit and medical) tied together.

Victims are often older and younger citizens.  These individuals typically are less apt to seek credit or change medical insurers.  Synthetic identity fraud can continue for years – even decades – without being discovered until it results in catastrophic results.  For example, when the younger victim applies for college admittance, applies for student financing, or the older American tries to change his/her Medicare Supplement or get a “reverse” mortgage. 

About one-third of American’s Social Security numbers are being used by someone else without our permission. 

Recently, I was asked by a CPA friend (male) to check to see if anyone was using his Social Security number.  I found a female individual that had used it to gain employment with a Pennsylvania manufacturer.  Based on the background research report, it appears that the person is an illegal immigrant.  I’ll bet ya that she has health insurance from her employer!

To avoid becoming one of a growing number of Americans that are victims of synthetic identity theft, frequently check your Social Security statements, consumer rating agencies reports, etc.  Also, you can check with the MIB Group to see if they will let you look at your medical file. 

For a more complete roadmap to ID theft prevention, attend one of my free public lectures on how to avoid identity theft. 

Tuesday, January 31, 2017

Little Red Door Hacked by The Dark Overlord

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

The Little Red Door Cancer Services of East Central Indiana was recently hacked by The Dark Overlord, a cyber criminal group, and faced a $43,000 ransom demand.

Increasingly, medically related and non-profit groups experience ransomware demands.  These organizations possess individual's medical and personal information, and typically have weak IT security.  

Sometimes data is encrypted by the cyber thief, and the ransom demand is to provide the decryption key to unlocking the data.  This is what happened in Madison County who paid the ransom.  In other cases; it is a blackmail demand to avoid the public embarrassment of having sensitive information published on the internet.   

The Dark Overload group, named after a comic book character, has been successful in multiple ransomware cases and have netted over $500 million last year alone, according to security sources.

These data breaches are more serious than previous credit card breaches because they affect not only Personal Identifiable Information (PII) but also include Medical Information covered by HIPAA.  PII has a value on the “dark net” of about $50 per individual and HIPAA information is valued at over twice that amount or about $100 per individual.  

Thus, an organization -- say a dental or physician office that has maybe 3,000 current and past client records -- could provide a cyber thief with $300,000 in revenue from the dark net sale of both the PII and medical information.  The ransomware demand is often only a minor revenue stream these fraudsters.  Many cyber criminals enjoy taunting its victims.

From the consumer’s standpoint, the theft of PII or credit card information is inconvenient to most victims and can take a long time to correct. About one in three Americans will be victims of that kind of theft this year.  The inconvenient for many is worst than the financial impact, and it can often be repaired without requiring professional help.  The loss of your medical identity can be worse, more difficult to correct, and sometimes life threatening to the victim.

From the medical provider’s standpoint, a data breach can be catastrophic. 

In some parts of the U.S., legal boutiques are springing up that focus on class-action data breach events that involve both PII and HIPAA.  If a medical-related organization experiences a data breach and it had not previously conducted a cyber security assessment or financial risk assessment, had insufficient safeguards, and have an ineffective (or non-existent) HIPAA supervisor, these issues could eventually result in liability costs that force the sale of the medical practice. 

In the case of the Little Red Door, there was no reported encryption of data; but, the demand was that the data would be released on the internet.  The LRD has reported that they refused to pay the demand.

Unfortunately, the staff’s Social Security numbers and other LRD information is already on the dark web. A spokesperson for The Dark Overlord, who forwarded an email to the media from within the Little Red Door’s internal email account, disputed that the data had yet to be published.  Obviously, The Dark Overlord is not finished with the Little Red Door. TDO claims that they acquired much personal information, including diagnoses of clients.

Few non-profits and smaller medical-related businesses have adequate safeguards to prevent the loss of sensitive client information.

Wednesday, January 18, 2017

Ransomware + Medical Identity Theft = Disaster

By Greg Wright
Certified Fraud Examiner
Certified Financial Planner™

Sometimes two bad things link, accelerate and produce an even larger tragedy. That’s what happening today when “ransomware” meets “medical identity theft.”   

Smaller personal service business offices are notoriously lacking in cyber security.  This includes smaller offices of physicians, optometrists, chiropractors, and dentists.  Cybercriminals are increasingly attacking these small businesses, encrypting their files and hold them for ransom.

Last year, the American Dental Association warned dentists about ransomware.

Many businesses cannot operate without access to its customer files. Moreover, once they become a ransomware victim, like Madison County Indiana recently, they will pay a ransom to the cyber criminal.  If the victim is a medical office, the data thief also gets to copy and sell the medical practice patient’s medical records too.  Ouch.

What could a cybercriminal do with your Social Security number, credit card info, insurance policy information, your address, and medical history?  Similar information is sold every day on the dark net.  Medical identity theft is one of the fastest growing cyber crimes.  Ransomware crimes are growing even faster and reaching down into profitable small businesses.

Medical businesses are a favorite.  Last year, for example, Hollywood Presbyterian Medical Center revealed it paid ransom to hackers who held the hospital's computer system hostage by encrypting its patient records.  I’ll bet that the hospital’s patient's medical information was also copied and sold. 

Ransomware is exactly what it sounds like -- malicious software used by cyber criminals to block access by a business owner to a computer system until a ransom is paid. It has become much more common in recent years. The number of ransomware attacks increased almost five times – 500% -- in 2016 compared with the prior year.

This particular type of cyber crime was first recorded in1989. The attack is relatively easy to deploy and profit.  It doesn’t take special skills and the software or malware is easily obtainable on the dark net.  The victim’s employees need only click on the wrong “innocent” appearing link to infect and compromise its computer system.

In the past, ransomware cyber-criminals targeted consumers connecting to porn sites and typically ask for modest amounts to release the victim’s personal computer files. The ransom is typically paid in Bitcoin.

The increased use of Bitcoin and other similar currencies has made this type of crime increasingly possible – it is easy to deploy, receive payments safely and transfer money anonymously. This has had a dramatic impact on the number and type of cybercrime opportunities. Bitcoin is the current engine of cybercrime, and it will continue to enable and expand cyber criminal activity.

Your stolen medical records can allow someone to see a doctor, get prescription drugs, file claims with your insurance provider, have surgery, etc.  The thief’s health information then is mixed with yours, your treatment history, blood type, allergies, and payment (or non-payment) records. This data mix can be physically dangerous to you, cause your insurance premiums to increase and result in you being denied certain insurance coverages.  It is very difficult to correct.

Stolen medical records can more troublesome than other type identity theft. 

Read your Explanation of Benefits (EOB) statement or Medicare Summary that your health plan sends after treatment. Check the name of the provider, the date of service, and the service provided. Do the claims that were paid match the care you received? If you see a mistake, contact your health plan and report the problem ASAP.

Signs of medical identity theft include bills for service you did not receive and calls from debt collector about medical debt you don’t owe. Since Federal law gives you the right to know what’s in your medical files, the thief may have impersonated you and received your complete records from other providers.  This could wreck your medical care for life.

If you think that something is amiss, ask each of your health plans and medical providers for a copy of the “accounting of disclosures” for your medical records. The “accounting” is a record of who got copies of your records from the provider. The law allows you to order one free copy of the accounting from each of your medical providers every 12 months. 

Smaller medical service providers are frequently victims of combined ransomware and medical records theft.  If they are a ransomware victim, they probably have had client medical records compromised as well.  This likely qualifies under Indiana law as a “breach.”   It must be reported to the Indiana Attorney General.  Also, it probably is subject to HIPAA, OCR and HHS regulations  The medical or business professional organizational victim needs to report the information promptly.  Failure to do so can result in more fines and hassle than a multi-year full IRS audit. 

Small profitable businesses are particularly vulnerable to Ransomware and breach attacks.  The cost from “Ransomware” may be small compared to those associated with “breach,” HIPAA and other regulator’s fines.  Plus the negative publicity and client issues.  Ask yourself if you would consider a medical professional that did not actively prevent someone’s medical information from being compromised and sold on the dark net. 

Smaller businesses, particularly medical service providers, needs to have adequate cyber defense insurance from a company that has the staff experts that can apply corrective actions and guides the victims through the regulatory process.