Stealing Medicare beneficiary identification numbers has become the latest goal for cybercriminals who see this data as even more valuable than stolen credit cards
A South Florida man pled guilty in federal court in late-January to “conspiring to buy and sell more than 2.6 million Medicare beneficiary identification numbers” and other personal information. His guilty plea was one of the first prosecutions under the Medicare Access and CHIP Reauthorization Act of 2015, which makes it “illegal to buy, sell, or distribute Medicare beneficiary identification numbers without proper authority.”
As part of his plea, the defendant admitted used “data mining” and “social engineering techniques” to collect Medicare beneficiary information that he then advertised and sold online. The defendant sold the Medicare numbers and other information of 83,000 beneficiaries to undercover federal agents for $8,000, according to court records. The government estimates he made approximately $310,000 for transactions involving millions of Medicare beneficiary identification numbers.
Medical identity theft, including the theft of Medicare beneficiary identification numbers, often supports the filing of false claims for Medicare reimbursement that can cost the federal government a year in taxpayer money.
Cybersecurity attacks on healthcare providers “reached an all-time high, with one study indicating that more than 45 million people were affected by such attacks in 2021” 鈥 a 32% increase over 2020 鈥 according to a U.S. Senate Intelligence Committee released in November 2022. Attacks on healthcare providers are increasing because personal health information “is more valuable on the black market” than credit card information. Hackers can sell medical records for $10 to $1,000 per record, according to the white paper.
The scale of data breaches in healthcare is sweeping. In calendar year 2021, the Office of Civil Rights (OCR) for the U.S. Department of Health and Human Services received of breaches affecting 500 or more individuals that exposed the protected health information of more than 37 million individuals. An additional 319,000 individuals had their information exposed in smaller breaches, according to the OCR’s report released in mid-February.
Breach risks cross the spectrum
Although social engineering can expose individual Medicare beneficiaries to , healthcare providers are also the victims of data breaches from ransomware attacks, hacking, and even employee error. Being aware of the risks and taking measures to mitigate those risks can help reduce data breaches and the healthcare fraud that can follow.
However, hacking is the for healthcare data breaches with hacking and 鈥淚T incidents鈥 involved in 75% of reportable breaches. For example, Banner Health Affiliated Covered Entities agreed to pay $1.25 million to resolve a 2016 data breach that “disclosed the protected health information of 2.81 million consumers,” according to a February , which called the data breach the result of a “hacking incident by a threat actor.”
鈥淗ackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation鈥檚 hospitals,鈥 said OCR Director Melanie Fontes Rainer. 鈥淚t is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to, and combat such cyber-attacks.鈥
The U.S. Department of Justice announced in January that it had the operations of the Hive ransomware group, which had targeted more than 1,500 victims in more than 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure. A suspected Hive attack on an Ohio health system resulted in the cancellation of all urgent surgical cases and radiology exams as well as the diverting of emergency patients before reaching a “.”
Third-party vendors can also create a data breach vulnerability for providers. UCHealth in Aurora, Colo. reported a third-party data breach that impacted nearly 49,000 individuals. UCHealth said it was informed by the company providing hosted services to the health system that the software company had experienced a security incident that may have exposed some of UCHealth’s patient, provider, or employee data. Although UCHealth’s systems, including its electronic health records, were not impacted by the incident, it provided a to individuals that the data downloaded may have included names, addresses, dates of birth, treatment information, and, in limited cases, Social Security numbers or other financial information. However, UCHealth did not believe the data taken “went beyond the cybercriminal or was misused in any way.”
Data sharing dangers
Unintended data sharing can also result in significant exposures of health information. UCLA Health announced in mid-January, that it had “recently learned of an issue relating to the use of analytics tools on the UCLA Health website and mobile app.” UCLA Health explained that analytics tools on an appointment request form completed on the website or mobile app may have “captured and transmitted” information from the form to third-party service providers. UCLA Health notified nearly 94,000 individuals of the data breach; however, UCLA denied that analytics tools captured financial or payment information from patients.
In another instance involving data sharing, the Federal Trade Commission filed a complaint against GoodRx Holdings, Inc., alleging GoodRx shared “” with companies like Facebook, Google, and Criteo as well as other third parties. GoodRx did not have authorization from its customers to share their private health information, such as their prescription medications and personal health conditions, according to the complaint. GoodRx paid a $1.5 million settlement to resolve the allegations, but .
However an individual鈥檚 health data is exposed 鈥 whether by individual identify theft, hacking attack, or unintended sharing 鈥 when it includes payment information, it creates a risk of healthcare fraud. Although Medicare numbers are bought and sold on the dark web in bulk, any disclosure of payment information can increase the risk of individual or systemic fraud.
