Stealing Medicare beneficiary identification numbers has become the latest goal for cybercriminals who see this data as even more valuable than stolen credit cards
A South Florida man pled guilty in federal court in late-January to “conspiring to buy and sell more than 2.6 million Medicare beneficiary identification numbers” and other personal information. His guilty plea was one of the first prosecutions under the Medicare Access and CHIP Reauthorization Act of 2015, which makes it “illegal to buy, sell, or distribute Medicare beneficiary identification numbers without proper authority.”
As part of his plea, the defendant admitted he and his co-conspirators used “data mining” and “social engineering techniques” to collect Medicare beneficiary information that he then advertised and sold online. The defendant sold the Medicare numbers and other information of 83,000 beneficiaries to undercover federal agents for $8,000, according to court records. The government estimates he made approximately $310,000 for transactions involving millions of Medicare beneficiary identification numbers.
Medical identity theft, including the theft of Medicare beneficiary identification numbers, often supports the filing of false claims for Medicare reimbursement that can cost the federal government billions of dollars a year in taxpayer money.
Cybersecurity attacks on healthcare providers “reached an all-time high, with one study indicating that more than 45 million people were affected by such attacks in 2021” — a 32% increase over 2020 — according to a U.S. Senate Intelligence Committee white paper released in November 2022. Attacks on healthcare providers are increasing because personal health information “is more valuable on the black market” than credit card information. Hackers can sell medical records for $10 to $1,000 per record, according to the white paper.
The scale of data breaches in healthcare is sweeping. In calendar year 2021, the Office of Civil Rights (OCR) for the U.S. Department of Health and Human Services received 609 notifications of breaches affecting 500 or more individuals that exposed the protected health information of more than 37 million individuals. An additional 319,000 individuals had their information exposed in smaller breaches, according to the OCR’s report released in mid-February.
Breach risks cross the spectrum
Although social engineering can expose individual Medicare beneficiaries to identify theft, healthcare providers are also the victims of data breaches from ransomware attacks, hacking, and even employee error. Being aware of the risks and taking measures to mitigate those risks can help reduce data breaches and the healthcare fraud that can follow.
However, hacking is the dominant threat for healthcare data breaches with hacking and “IT incidents” involved in 75% of reportable breaches. For example, Banner Health Affiliated Covered Entities agreed to pay $1.25 million to resolve a 2016 data breach that “disclosed the protected health information of 2.81 million consumers,” according to a February OCR release, which called the data breach the result of a “hacking incident by a threat actor.”
“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to, and combat such cyber-attacks.”
The U.S. Department of Justice announced in January that it had successfully disrupted the operations of the Hive ransomware group, which had targeted more than 1,500 victims in more than 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure. A suspected Hive attack on an Ohio health system resulted in the cancellation of all urgent surgical cases and radiology exams as well as the diverting of emergency patients before reaching a “negotiated solution.”
Third-party vendors can also create a data breach vulnerability for providers. UCHealth in Aurora, Colo. reported a third-party data breach that impacted nearly 49,000 individuals. UCHealth said it was informed by the company providing hosted services to the health system that the software company had experienced a security incident that may have exposed some of UCHealth’s patient, provider, or employee data. Although UCHealth’s systems, including its electronic health records, were not impacted by the incident, it provided a notice of the breach to individuals that the data downloaded may have included names, addresses, dates of birth, treatment information, and, in limited cases, Social Security numbers or other financial information. However, UCHealth did not believe the data taken “went beyond the cybercriminal or was misused in any way.”
Data sharing dangers
Unintended data sharing can also result in significant exposures of health information. UCLA Health announced in mid-January, that it had “recently learned of an issue relating to the use of analytics tools on the UCLA Health website and mobile app.” UCLA Health explained that analytics tools on an appointment request form completed on the website or mobile app may have “captured and transmitted” information from the form to third-party service providers. UCLA Health notified nearly 94,000 individuals of the data breach; however, UCLA denied that analytics tools captured financial or payment information from patients.
In another instance involving data sharing, the Federal Trade Commission filed a complaint against GoodRx Holdings, Inc., alleging GoodRx shared “sensitive user information” with companies like Facebook, Google, and Criteo as well as other third parties. GoodRx did not have authorization from its customers to share their private health information, such as their prescription medications and personal health conditions, according to the complaint. GoodRx paid a $1.5 million settlement to resolve the allegations, but denied any wrongdoing.
However an individual’s health data is exposed — whether by individual identify theft, hacking attack, or unintended sharing — when it includes payment information, it creates a risk of healthcare fraud. Although Medicare numbers are bought and sold on the dark web in bulk, any disclosure of payment information can increase the risk of individual or systemic fraud.