When the hacker telephoned one of the U.K.’s largest cosmetic surgery chains, his Slavic accent was so thick that the operator struggled to make out what he was saying. Eventually staff at the London-based Harley Medical Group realized the man had stolen the names of 350,000 past and potential clients, and information about the procedures they sought. It was not the crime of the century but the extortionist knew who wanted a breast enhancement, a nose job or a tummy tuck, and he demanded cash—six figures—to keep quiet.
Harley did not pay, according to CEO James Farquharson. Yet the 2014 incident resulted in an eye-catching front-page headline in The Sun tabloid and the formerly profitable chain saw the bottom line turn into a loss the following year—even though the hacker never leaked the data. “It knocked us really, really hard,” Farquharson says. “It took us about 12 months before we really started to turn the corner.”
Some institutions do submit to blackmail. In February the Hollywood Presbyterian Medical Center announced that it paid $17,000 for a de-encryption key after a hacker locked hospital files. Experts say the case was unusual only in the public admission. “It happens all the time, but everyone involved in it wants to keep it low-profile,” says Dean Sysman, co-founder of Cymmetria, an Israeli cybersecurity start-up. “In the health care sector, losing all the data is not only something that is a business risk, it is a human life risk.”
As hackers probe cyberspace they are finding weaknesses among the vast patchwork of doctors, hospitals and insurers that make up our health care system—many of them unprepared to counter a sophisticated hacker. Heath data thieves typically seek to extort money, obtain medications, get free health care or steal identities for credit cards and tax refunds. A glut of stolen credit cards and resulting lower prices for them on the black market have made medical data especially attractive, says Angel Grant, director of fraud and risk intelligence at RSA Security: “They are looking for new ways to make money, and they see the health care industry as a soft target because they lack the security maturity of other industries.” Health care is so ripe for hacking that the sector accounts for more than a third of all of this year’s breaches involving the release of a name and sensitive information, according to a July 19 report by the Identify Theft Resource Center. It lists 538 breaches across all industries affecting nearly 13 million people.
Online, the shadowy Dark Web openly offers stolen health data for sale. “You can use these profiles for Normal Fraud stuff and/or get a brand new health care plan for yourself and with all the advantages that comes with,” said one advertisement RSA investigators found. Since 2009 more than 170 million health records in the U.S. have been exposed in data breaches, according to a tally of incidents involving more than 500 records kept by U.S. Department of Health and Human Services. New breaches regularly appear on the site, which lists the name of the institution, the number of people affected and the type of breach—such as theft, hacking or unauthorized access. In recent weeks a heart clinic in Maryland, a dental practice in Ohio, a chiropractic center in Minnesota and a Massachusetts hospital were among those reporting breaches.
Anthem, the second-largest U.S. insurer, said in 2015 that outsiders had stolen personal and employment data and Social Security numbers—but not medical information—on some 78.8 million people in its Blue Cross Blue Shield plans. Massachusetts doctor Gary Lasneski was among the millions whose data was stolen. Not long after he learned of the breach the Internal Revenue Service wrote him saying they suspected a fraudster had filed a tax return in his name. Initially, he shrugged off the news. “Because I pay every year, I thought, ‘Good, let them file and pay for me,’” he says.
But he soon learned the matter was no joke, because criminals file returns hoping to receive tax refunds. Soon someone tried to set up fraudulent accounts at Best Buy, Office Depot and Capitol One using Lasneski’s information. He later joined a class action lawsuit against Anthem. Health care data breaches cost companies an estimated $2.2 million per incident, leading to collective annual losses of $6.2 billion, according to a study released in May by the Ponemon Institute. Yet many patients stay with their providers even after a breach, because changing doctors, hospitals or insurers is more far complicated than just shopping at a different chain store. By contrast, after Target was breached in 2013 it reported that expenses resulting from the breach in 2013 and 2014 totaled more than a quarter of a billion dollars. Even non-Anthem clients had data stolen in the same breach—which I had learned when I received a breach notification letter that Anthem later disclosed after my inquiries was because they were administering a drug plan for CVS Caremark, which partnered with my previous insurer.
Whether a single-doctor office or medical insurance company, health providers must make it more difficult for hackers to penetrate their systems, experts agree. The same applies to companies paid to process their information. Yet consumers need to pay more attention as well by taking measures such as monitoring their electronic health records. “Most portals will send an alert to you to let you know there was a modification to your record,” RSA’s Grant says. “Just by seeing that and knowing that you haven't ordered something, that you haven't gone to the doctor, that should be a red flag.”
Some health care organizations are beefing up security but most continue to lag in sectors such as finance and banking, experts say, noting that many are simply not investing enough time and energy to address the issue. “The majority of both health care organizations and BAs [business associates] have not invested in the technologies necessary to mitigate a data breach nor have they hired enough skilled IT security practitioners,” concluded Ponemon’s latest annual survey on the subject.
Harley Medical’s Farquharson agrees with this assessment and admits his firm’s old Web site was vulnerable. Others would prefer not to concede such shortcomings publicly. Three other CEOs hit by medical breaches in recent years—including Anthem head Joseph Swedish—declined interview requests for this article.