Criminals are increasingly hacking into healthcare company databases, posing a threat to patient privacy and preventing some patients from getting needed care.

According to the HIPAA Journal, last year the U.S. Department of Health and Human Services tracked a record 725 major hacks of healthcare databases. The records of 133 million people—about one in three Americans—were compromised in these breaches.

Data breaches of all types are on the rise, up 78 percent last year, compared to 2022. The healthcare sector leads all industries for reported compromises in each of the past five years, according to the 2023 Annual Data Breach Report from the nonprofit Identity Theft Resource Center (ITRC).

Hackers are drawn to medical files—especially hospital records—because they’re “a treasure trove … a very rich data set” of useful information they can use in a variety of ways, said Eva Velasquez, ITRC’s President and CEO.

Criminals aren’t interested in learning about your medical conditions; they’re looking for financial information, such as Social Security numbers, medical record account numbers, and health insurance policy info that can help them commit various forms of identity theft.

They can use stolen credentials to buy prescription drugs and medical equipment, get medical treatment, or apply for government benefits (such as Medicare, Medicaid, or Social Security), or file false insurance claims in the victim’s name.

An Inviting Target

Hackers are always looking for easy targets, and right now, that’s the healthcare industry. Medical facilities and doctors’ offices often have “less security” than other companies, and they often rely on “vendors and their contractors” for billing, payments, and management of patient records, said James Lee, the ITRC’s chief operating officer. These small practices and companies are more vulnerable because they “don’t have the same level of cybersecurity” as bigger medical organizations.

“All of those [vendors] have different pieces of information, but they all have access to the entire suite of information about you and others,” Lee explained. “So, it’s possible for [hackers] to attack a single organization and to get the records of thousands of other companies and all of the information those thousands of companies have.”

An organized crime ring that exploits a vulnerability in a hospital’s computer system may not even use the information it steals. They may offer it for sale on the dark web, where other criminals buy data to commit various types of identity theft.

And that stolen information can be “quite lucrative,” Lee told Checkbook. While a stolen credit card number can sell for between $30 and $60 on the dark web, information from a stolen prescription label can fetch as much as $100.

The Push to Digitalize Medical Records Amplifies the Risk

When most medical records were stored on paper, identity thieves had to break into a doctor’s office or “dumpster dive” (rummage through the trash) to get this information. Paper records simply can’t be compromised at scale. But with the digitization of medical records and the adoption of electronic health systems, this sensitive information is stored in databases vulnerable to cyber-attacks.

The growing use of health portals creates another opportunity for hackers. Patients with online access to their medical records aren’t always as security conscious as they should be.

“We have made it very easy for thieves to access information,” Lee said. “And that’s not just medical information, that’s information period.”

For Some, a Matter of Life or Death

Medical identity theft can result in significant and life-threatening consequences. Victims may have inaccurate information inserted into their medical records and, as a result, receive the wrong medical treatment, and be unable to buy life insurance, according to the National Health Care Anti-Fraud Association (NHCAA).

Thieves can use stolen identities to get medical treatments or prescriptions, which can create erroneous medical records and cause all kinds of problems for victims. They could fail a physical exam for employment or be unable to buy life insurance if erroneous information they don’t know about—such as a disease or condition for which they’ve never been diagnosed, or treatment they’ve never received—are documented in their health records.

“Untangling the web of deceit spun by perpetrators of medical identity theft can be a grueling and stressful endeavor,” the NHAA post noted. “The effects of this crime can plague a victim’s medical and financial status for years to come.”

Discussing medical identity theft during a recent Consumerpedia podcast, the ITRC’s Velasquez shared a true-life horror story from a victim who contacted the ITRC.

The woman’s stolen identity was used for medical treatments and to buy prescription drugs. As a result, she had improper diagnoses in her medical file that had to be corrected, and she had to convince her health insurance provider that she did not receive those services.

But it gets worse: Because her personal information was used to buy narcotics at different pharmacies, law enforcement was alerted.

“She didn’t learn about that until they actually came to her home to issue an arrest warrant, went to her children’s schools, pulled them out of school, and put them in the custody of Child Protective Services,” Velasquez told us. “The burden fell on her to prove that she wasn’t engaging in this behavior. She had to deal with the criminal justice system in addition to her insurance provider and her healthcare provider.”

Fighting Back

Large healthcare companies are investing in additional security measures and working with their vendors to upgrade their systems. New federal and state regulations that can result in significant fines will provide an additional incentive to do more.

But identity thieves will also find a way to get what they want. So, you need to be looking for warning signs that your medical files have been stolen.

Read your “explanation of benefits” statements. This report from your health insurance provider lists the medical purchases—prescription drugs, medical supplies, treatments, tests, procedures, and doctor visits—that have been billed to your health insurance policy.

Because this notice usually says “THIS IS NOT A BILL” at the top, it’s easy to ignore. It doesn’t take that long to read, and it could be your first indication that something is wrong.

Make sure you recognize the goods, services, and appointments listed. If you don’t, ask questions. Should you find a procedure that you didn’t have done, the purchase of prescription drugs that you don’t take, or a doctor visit that didn’t happen, a thief could have stolen your medical information.

Review your medical records throughout the year. This is easy to do if you have access via an online portal. Make sure your records are accurate. What conditions have been diagnosed? What prescription drugs are listed? Check past and upcoming appointments. If anything seems wrong, contact your medical provider right away.

Use strong passwords for all your online medical accounts. Hackers tend to go after large medical institutions with massive amounts of data. But they’re happy to break into your account if you make it easy for them. Use strong—long and complicated—passwords for any account related to healthcare: doctors, pharmacies, health insurance, and Medicare or Medicaid. Each account needs to have a unique password. That way, if a password for one account is compromised, cyber-thieves can’t use it to access your other accounts.

The best way to create and use strong passwords is to use a password manager. Checkbook has advice on how to find a good password manager and how use it.

Limit what you carry in your purse or wallet. Identity thieves don’t have to hack a computer. They can use information you have with you, such as a debit card connected to your health or flexible savings account, or a card used to access benefits from your Medicare Advantage account.

Leave those cards at home unless you need them. Or use an app to securely store that information on your smartphone.

Help Is Available

Hackers have breached so many databases in recent years that every adult in the U.S. should assume their information has been compromised—probably more than once.

“It’s entirely possible that if you haven’t been impacted by a healthcare breach, you’re going to be in the future,” said the ITRC’s Lee. “Maybe [your information] hasn’t been misused yet, but it’s available.”

If you’re the victim of identity theft, medical or otherwise, contact the Identity Theft Resource Center. You can talk or chat with a trained advisor who will help you figure out what happened and what steps to take to protect yourself. The service is free.

More from Checkbook:

Identity and Cyber Theft: How to Protect Yourself

Health Tracking Apps and Other Tech Might Be Invading Your Privacy

Consumer Reports Built an App that Helps You Tell Companies to Respect Your Digital Privacy

Consumerpedia, Episode 11: Stop, Thief! How to Protect Yourself from Identity Theft

Consumerpedia, Episode 5: Cyber Crime: A Former Cyber Crook Explains How to Protect Yourself

 

Become a Smarter Consumer Get free, expert advice delivered to your inbox every Wednesday when you sign up for the Weekly Checklist newsletter.



Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Twitter, and at ConsumerMan.com.