By Taylor Armerding
Dec. 20, 2016
How valuable is personal healthcare data?
Apparently it depends. Based on at least some price comparisons on the Dark Web – the underground online marketplace for cyber criminals – electronic health records (EHR) are not even close to premium goods.
McAfee, now a division of Intel Security, reported recently that the price for an individual medical record ranges from a fraction of a cent to $2.50, while a so-called “fullz” record – name, Social Security number plus financial account information from a credit or debit card can fetch $14 to $25.
But, other experts say medical records have enormous value, for a variety of reasons – mostly financial but sometimes political or personal – and retains its value for a long time.
“Medical data is very rich information,” said Axel Wirth, healthcare solutions architect at Symantec. “Besides demographics – name, date of birth – it includes financial and account information, insurance and government identifiers, residency information, physical descriptors, next of kin, and potentially even photos. It is as much of a fullz as it gets.”
Dan Berger, president of Redspin, agreed. He said he thinks the lower prices for health data are only for what he called, “the ‘quick-flip’ scenario.
“For more elaborate schemes, a healthcare record is likely to contain a much deeper set of demographics that can be used for identity theft and fraud,” he said.
And the Identity Theft Resource Center (ITRC), in a recent blog post, said the low prices are simply a matter of supply and demand. “There is such an abundance of stolen medical information available on the Dark Web that the value of these complete records has been slashed to less than half of what they used to be worth,” the ITRC said.
Indeed, its potential uses are perhaps more varied than data stolen from any other industry sector. James Scott, cofounder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT), noted that it can be, “exploited for prescriptions, sold and resold, used for fraud or identity theft, and can be combined with other stolen data to generate holistic victim dossiers. In some less common instances it may be used for blackmail.”
To that, Wirth adds that the data can be used, “to establish a travel profile for government employees, based on vaccinations received, the sale of newsworthy medical incidents about celebrities and the use of medical data in legal disputes.”
Then there is the reality that much medical information – employment information, Social Security numbers, medical history, family members, physical descriptors – can’t be changed like a credit card account number. It is persistent, which means it is likely to retain its value for years, if not decades.