Here's a bit of bad news that's guaranteed to get worse: Since the start of 2015, three major health insurance companies have discovered and admitted that hackers breached their customer-information databases.
In February, Anthem admitted that hackers had compromised the records of 80 million current and former Anthem customers dating back to 2004. In March, Premera Blue Cross admitted to a breach compromising 11 million medical and financial records dating back to 2002. And earlier this month, CareFirst Blue Cross/Blue Shield discovered a breach compromising up to 1.1 million customer records.
And remember: it's almost certain that those were not the only three American health insurance companies to have been hacked, merely the only three to have discovered and admitted such security breaches.
Of all the many types of identity theft Americans must worry about, medical identity theft is arguably the worst of all. Consider: If criminals steal your bank account or credit card numbers, it's fairly easy (albeit annoying and time-consuming) for you to cancel the contaminated accounts and switch over to new ones. Changing your Social Security number is far more difficult, but it can be done if absolutely necessary.
But you can't change your health and medical history; if that information falls into untrustworthy hands, there's nothing you can do to make it obsolete.
Most identity theft threatens your financial well-being, but medical identity theft can threaten your very life. Earlier this month, the Ponemon Institute published a study (sponsored by the Medical Identity Fraud Alliance, or MIFA) focusing on medical ID theft cases in the United States. Ann Patterson of MIFA defined medical I.D. theft not merely as theft of medical records and related data, but “when someone uses someone else's identity to obtain medical goods or services.”
Imagine someone steals your health insurance information and uses it to get health care for themselves: “Your medical identity is corrupted with the identity thief's health information. So their blood type, their allergies, their diseases, their health conditions that are not accurately reflecting your health.... It is most certainly a life-or-death situation,” Patterson said.
However, the available evidence suggests that the hackers who broke into Anthem, Primera and CareFirst weren't trying to score free medical care for themselves — security investigators familiar with those cases say that the available evidence suggests the hackers enjoyed backing from the Chinese government. (China's government, however, denies any role in America hacking activities, and points out that hacking is illegal under Chinese law.)
Your child's medical file
Yesterday, Larry Ponemon of the Ponemon Institute and Rick Kam of ID Experts, writing for the Dark Reading security blog, went so far as to suggest that “escalating cyberattacks threaten U.S. healthcare systems.”
Imagine a hostile nation-state with your psychiatric records. Or an organized crime ring with your child’s medical file. Or a disgruntled employee with your medical insurance information.
(Indeed, when news of the Anthem hacking first broke, the security investigators who first suggested the possibility of Chinese-government involvement also offered an ominously plausible motivation for it: “The attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group -- defense contractors, government workers and others.” And CareFirst primarily serves customers in Washington, D.C. and its immediate suburbs — in other words, a region where a huge proportion of the population works for either the federal government or its various contractors.)
Even for hackers interested in money rather than medical care or political power, stolen healthcare and health insurance data is far more lucrative than stolen bank account or payment-card information. Jim Trainor, from the FBI's cyber security division, talked about the black-market value of various types of stolen data bought and sold by identity thieves: “Credit cards can be say five dollars or more, where [protected health information] records can go from 20 say up to — we've even seen $60 or $70.”
It's getting worse
And Kam and Ponemon suggest the problem of medical-record theft will only get worse, mainly because the healthcare and health insurance companies don't have the money to defend against it:
… criminal attacks are up 125 percent since 2010, according to benchmark study data. For the first time, in fact, criminal attacks are now the number one root cause of data breaches, rather than user negligence/carelessness or system glitches. … Despite these growing threats, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft. In addition, only 40 percent of covered entities and 35 percent of business associates are concerned about cyber attackers. This lack of concern is reflected in a lack of appropriate budget....
And there's another potential problem Kam and Ponemon didn't mention: the possibility that the very concept of “Internet security” might be inherently impossible, even a contradiction in terms.
Remember the early days of the Internet, when it was often called the “information superhighway?” The Internet as we know it was designed with the explicit purpose of making it easier to share information, whereas “Internet security” seeks the opposite, making information harder (if not impossible) for certain people to access.
You can make it easier to share something, or you can make that something harder to steal – but if you try accomplishing both tasks at once, with the same tool, you're setting yourself up for failure.