We write a lot about protecting patient information and HIPAA security. It is widely known that over 20 million patient records have been breached in the past few years. Have you ever thought about some of the consequences of breach medical information? We came across a very interesting blog article over at 403 Blogs. 403 Blogs is the blog of the security company 403 Labs. 403 Labs came up with various scenarios of what to do with stolen patient information. Below are some of the ideas they came up with. A few are truly terrifying if they were to happen to you.
- With prescription information records, find out where the patient gets their meds called in, show up at the pharmacy acting as the patient, and purchase the meds to sell on the black market (or simply sell the data there).
- Blackmail or extort the patient if they have some medical condition or history that’s potentially embarrassing or detrimental to their life (e.g., injury sustained while driving intoxicated, treatment for STD, etc.).
- Identify the accounts of minors and use their valid Social Security numbers (SSNs) and personal info to open credit cards, loans, etc., which likely won’t get caught until they turn 18 and apply for credit or financial aid.
- Blackmail the physician with the threat of messing with patients’ plans of care and killing them from bad dosing to cause the physician a decade of malpractice suits and medical board inquiries.
- Create an encrypted copy of all the data, destroy the original data, sell the provider the password to the encrypted archive (relies on being able to destroy the good backups or provider not having good backups).
- Look for people with conditions that indicate easy targets for scams (e.g., Alzheimer’s medication) or target-specific scams. For instance, imagine a cancer patient getting this phone call:
“Hi, I’m calling from [well-known clinic/hospital]. Doctor Hibbert referred me to you as a potential candidate for a new drug study. Our research, with the team at [pharmaceutical company], has led to a new breakthrough drug, specifically designed to combat your type of cancer with a 90% success rate. We’ve reviewed your insurance policy with US Healthcare under policy #1234567. It looks like that policy does not cover experimental drugs. Do you have any other means of covering the $10,000 admittance fee for the study?
…I mean, we’re gonna cure your cancer. Is $10,000 really that much?”
Insert enough credible information, tell them it’s some sort of “blind study” so they can’t tell their doctor… you never know who may bite.
Imagine having all your patient information encrypted and being blackmailed for the password to your own data. Or imagine being a patient and being preyed upon because you have a certain medical condition. These scenarios are frightening from a provider and from a patient perspective and provide even more reasons to get serious about HIPAA security.
Leave a Reply