Stolen EHR data is flooding criminal underground communities in the Deep Web

Electronic health record databases are becoming the most precious commodities in the cyber criminal underground.

The healthcare sector has been the industry with the highest number of data breaches in 2015 when a total of 113.2 million healthcare-related records were stolen by hackers.

Cybercriminals are exploiting the lax of security implemented for EHR systems.

“Given the contents of an EHR and its capacity to hold financial and credit card records, healthcare organizations become targets of cybercriminals who aim to steal personal identifiable information (PII), as well as financial information.” reads the report titled “Cybercrime and Other Threats Faced by the Healthcare Industry” “But unlike other data breaches, cybercriminals have found more ways to use information from EHRs aside from selling the data in bulk in underground markets” 

The researchers have analyzed the offer on the Deep Web in the attempt to profile the offer and understand pricing models used by the criminals focused on the sale of EHR data.

Giving a look at EHR data, Medical insurance IDs with valid prescriptions go for $0.50 US, while complete profiles of US citizens including medical and health insurance data were selling for under $1.

As we said EHR data are a profitable business for cyber criminals, fraudulent tax returns based on stolen medical records go for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.

“In the last two years the number of cybercriminals committing tax fraud, through the use of stolen personal data found in EHRs, increased.19 As a result, Turbo Tax–a program used for filing taxes in the U.S.–had to temporarily suspend state tax filings to investigate the increasing number of fraud cases. ” continues the report.

Identity theft is one of the main fraudulent activities conducted by cyber criminals that can use the EHR data to accredit ththemselves gainst multiple webservices.

“In terms of resolving fraud issues, credit cards breaches have financial liability limited to US$50 per card. In the health industry, however, 65% of victims of medical identity theft had to pay an average of US$13,500 to resolve the crime–with costs covering the services of creditors and legal counsel.” reads the report.  “Credit cards can be easily canceled and replaced but health care data such as Social Security numbers, and birthdates, are permanent–which means the data will live forever and that cyber criminals may reuse such information for a variety of purposes”

Crooks can use data stolen from medical records to obtain and sell copies of real birth certificates. In the following figure is reported an advertisement for birth certificates published on AlphaBay starting at US$500 per person.

The situation is worrisome, healthcare organizations are failing to protec their key assets.

It is quite easy for hackers to find EHR systems exposed online with a poor security, search engines like Shodan could provide detailed information on these systems, healthcare facilities, medical equipment.

The TrendLabs report detailed research conducted through Shodan that demonstrated the existence of many systems managing EHR data that were left open to the Internet with poor security.

Enjoy the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  EHR data,  healthcare)