The Surgeons of Lake County, located in the affluent northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored. But unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password. The doctors turned the server off and notified the authorities, refusing to pay.
The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. But the incident, which was spotted by privacy blogger Dissent Doe in a federaldatabase of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records. The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.
Medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money. Earlier cases, though, underscore the value to a criminal of medical data.
One case involved Express Scripts, the large prescription-drug benefits manager that received a threat in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including Social Security numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually notified 700,000 customers that their information could have been exposed. And in 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.
As reported earlier by Jordan Robertson, the spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing problem. Security and privacy risks are also emerging with the creation of “health information exchanges,” which are vast databases that states are setting up to handle all the electronic medical records. It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.
“This is a warning bell,” says Santa Clara University's Glancy. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”
Cross-posted from: Tech Blog
Medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money. Earlier cases, though, underscore the value to a criminal of medical data.
One case involved Express Scripts, the large prescription-drug benefits manager that received a threat in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including Social Security numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually notified 700,000 customers that their information could have been exposed. And in 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.
As reported earlier by Jordan Robertson, the spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing problem. Security and privacy risks are also emerging with the creation of “health information exchanges,” which are vast databases that states are setting up to handle all the electronic medical records. It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.
“This is a warning bell,” says Santa Clara University's Glancy. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”
Cross-posted from: Tech Blog