Why Do Hackers Want to Steal PHI?

Rob Van Buskirk
April 2, 2018
Share this post

Your business is important to you, your patients, and your employees. Not only are HIPAA compliance and data security a legal requirement, they are also the right way to handle your patients’ personal information.

In today’s interconnected world, data breaches are on the rise. As you can see below, the health care sector has the 4th largest number of data loss/breaches in the U.S.

So why is PHI so valuable to a cybercriminal?

First, stolen credit cards and account data have a limited shelf life. This information is only useful until the victim cancels the credit cards and accounts. The information contained in medical records, on the other hand, has many more use cases and can be used to commit multiple types of fraud or identity theft. Medical records do not change, even after they have been compromised.

Second, personal data is much more valuable to a cybercriminal than a credit card or bank account number. For example, the average sale price for a U.S. credit card is only $1 USD on the dark web. However, when that card number is sold as part of a “fullz,” or full identity profile, the cost jumps to around $500. Health insurance credentials add an additional $20 each. Health insurance credentials are especially valuable in today’s economy, where high healthcare costs are causing some to seek free medical care with these credentials [source].

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. Let’s review the Media Notice of this rule:

Media Notice: Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

So what do you do? You need to ensure that you have a great guide to navigate your HIPAA compliance and be fully compliant for the benefit of your business and your customers. Make sure your HIPAA Security Plans are current to protect your business and your legacy.