In the hidden recesses of the Internet, millions of people’s medical records are up for sale to criminals.

For John Kuhn, a routine visit to a hospital in Michigan turned into a $20,000 bill for surgery that he never actually received.

Kuhn, who works as a senior threat researcher at IBM, later learned from the hospital that staff had lost a hard drive filled with patient data, including his own record. Kuhn eventually had to prove to the hospital that it was a case of identity theft by pulling up his shirt to show that he didn’t have any post-surgical scars.

More than 113 million medical records were hacked in 2015 alone, according to data compiled by the Health and Human Services. A newly released report from the Institute for Critical Infrastructure Technology, a cybersecurity think tank, found that some 47% of Americans have had their medical record hacked in the past 12 months. The majority of patients haven’t ever accessed their medical record before that happens.

But why are medical records now such a hot commodity for hackers and thieves?

The dark web is used by those who want to better hide their identity through Tor and other encryption tools. On the dark web, medical records draw a far higher price than credit cards. Hackers are well aware that it’s simple enough to cancel a credit card, but to change a social security number is no easy feat. Complete medical records typically contain an individual’s name, birthdate, social security number, and medical information. These records can sell for as much as $60 apiece, whereas social security numbers are a mere $15. Stolen credit cards sell for just $1 to $3.

Moreover, important information on the patient’s medical record will often be deleted, like an allergy to penicillin, or new entries added. In some cases, it’s intentional. But it’s more often a by-product of the theft. For this reason, the World Privacy Forum issued a lengthy report that calls it “the crime that can kill you.”

In many cases, it’s been challenging for security experts to convince doctors and other health practitioners to change their workflow. For instance, many doctors are reluctant to use dual-factor authentication, according to Rubin, as it might slow down the process of treating a critical patient.

In the meantime, security experts say that patients can take steps to make it that little bit more challenging for hackers to access their information. Avoid filling out a medical form with sensitive personal information and emailing it to a doctor or clinic, advises Adam Levin, chairman and founder of IDT911, an identity protection company. In cases where that information is faxed, ensure that a medical professional or administrator is standing by to receive it. Another tip from Levin is to ask whether it’s truly necessary to hand over a social security number, rather than to take it for granted.

Click here to read the full article.

July 7, 2016 by Christina Farr, Fast Company