Ransomware + Medical Identity Theft = Disaster

By Greg Wright

MBA, CFE, CFP®, CLU, ChFC

Certified Fraud Examiner

Certified Financial Planner™

Sometimes two bad things link, accelerate and produce an even larger tragedy. That’s what happening today when “ransomware” meets “medical identity theft.”   

Smaller personal service business offices are notoriously lacking in cyber security.  This includes smaller offices of physicians, optometrists, chiropractors, and dentists.  Cybercriminals are increasingly attacking these small businesses, encrypting their files and hold them for ransom.

Last year, the American Dental Association warned dentists about ransomware.

Many businesses cannot operate without access to its customer files. Moreover, once they become a ransomware victim, like Madison County Indiana recently, they will pay a ransom to the cyber criminal.  If the victim is a medical office, the data thief also gets to copy and sell the medical practice patient’s medical records too.  Ouch.

What could a cybercriminal do with your Social Security number, credit card info, insurance policy information, your address, and medical history?  Similar information is sold every day on the dark net.  Medical identity theft is one of the fastest growing cyber crimes.  Ransomware crimes are growing even faster and reaching down into profitable small businesses.

Medical businesses are a favorite.  Last year, for example, Hollywood Presbyterian Medical Center revealed it paid ransom to hackers who held the hospital's computer system hostage by encrypting its patient records.  I’ll bet that the hospital’s patient's medical information was also copied and sold. 

Ransomware is exactly what it sounds like -- malicious software used by cyber criminals to block access by a business owner to a computer system until a ransom is paid. It has become much more common in recent years. The number of ransomware attacks increased almost five times – 500% -- in 2016 compared with the prior year.

This particular type of cyber crime was first recorded in1989. The attack is relatively easy to deploy and profit.  It doesn’t take special skills and the software or malware is easily obtainable on the dark net.  The victim’s employees need only click on the wrong “innocent” appearing link to infect and compromise its computer system.

In the past, ransomware cyber-criminals targeted consumers connecting to porn sites and typically ask for modest amounts to release the victim’s personal computer files. The ransom is typically paid in Bitcoin.

The increased use of Bitcoin and other similar currencies has made this type of crime increasingly possible – it is easy to deploy, receive payments safely and transfer money anonymously. This has had a dramatic impact on the number and type of cybercrime opportunities. Bitcoin is the current engine of cybercrime, and it will continue to enable and expand cyber criminal activity.

Your stolen medical records can allow someone to see a doctor, get prescription drugs, file claims with your insurance provider, have surgery, etc.  The thief’s health information then is mixed with yours, your treatment history, blood type, allergies, and payment (or non-payment) records. This data mix can be physically dangerous to you, cause your insurance premiums to increase and result in you being denied certain insurance coverages.  It is very difficult to correct.

Stolen medical records can more troublesome than other type identity theft. 

Read your Explanation of Benefits (EOB) statement or Medicare Summary that your health plan sends after treatment. Check the name of the provider, the date of service, and the service provided. Do the claims that were paid match the care you received? If you see a mistake, contact your health plan and report the problem ASAP.

Signs of medical identity theft include bills for service you did not receive and calls from debt collector about medical debt you don’t owe. Since Federal law gives you the right to know what’s in your medical files, the thief may have impersonated you and received your complete records from other providers.  This could wreck your medical care for life.

If you think that something is amiss, ask each of your health plans and medical providers for a copy of the “accounting of disclosures” for your medical records. The “accounting” is a record of who got copies of your records from the provider. The law allows you to order one free copy of the accounting from each of your medical providers every 12 months. 

Smaller medical service providers are frequently victims of combined ransomware and medical records theft.  If they are a ransomware victim, they probably have had client medical records compromised as well.  This likely qualifies under Indiana law as a “breach.”   It must be reported to the Indiana Attorney General.  Also, it probably is subject to HIPAA, OCR and HHS regulations  The medical or business professional organizational victim needs to report the information promptly.  Failure to do so can result in more fines and hassle than a multi-year full IRS audit. 

Small profitable businesses are particularly vulnerable to Ransomware and breach attacks.  The cost from “Ransomware” may be small compared to those associated with “breach,” HIPAA and other regulator’s fines.  Plus the negative publicity and client issues.  Ask yourself if you would consider a medical professional that did not actively prevent someone’s medical information from being compromised and sold on the dark net. 

Smaller businesses, particularly medical service providers, needs to have adequate cyber defense insurance from a company that has the staff experts that can apply corrective actions and guides the victims through the regulatory process.