Why stolen personal health information is so valuable
May 19th, 2008 by 
David E. Williams of the Health business blog
Thieves will pay 10x as much for stolen personal health information than for a stolen credit card. I think I know why.
According to The New Hacker Economics, in the New York Times:
Company e-mail, business documents and personal health information are the new targets of choice for illegal hackers, according to Finjan, a San Jose-based maker of Web security software and appliances…
“Money is the motivation for criminal hackers, and it is this kind of information that has become most valuable,” [Finjan CEO, Yuval Ben-Itzhak] said.
A couple of years ago, credit card numbers and bank account PINs sold for $100 or more on sites selling stolen information, Mr. Ben-Itzhak said. Now, the price is down to $10 or $20, compared to $150 to $200 for some of the newer documents.
The article didn’t explain why personal health information is so valuable, so I did a quick web search to get some ideas. The Coalition Against Insurance Fraud has a list of scams, which include:
- Illegal and bogus treatment by corrupt providers or fake clinics
- Purchase of drugs for use by addicts or resale
- Obtaining free treatment by impersonating a health plan member
The site suggests various ways to counteract the theft of personal health information including:
- Examining explanation of benefits forms (EOBs)
- Monitoring benefits by asking for a list of claims paid
- Checking medical records and correcting inaccuracies
The high market value of personal health information relative to credit cards and bank PINs is quite telling. All else being equal access to a credit card or bank account should be much more valuable because it allows a crook to get cold hard cash, which can be used for anything.
The clues to the value of personal health information can be found in the remedies available to consumers. If my credit card or ATM card is stolen I can call my bank 24-hours a day and have it stopped instantly. Worst case I’ll see the problem clearly on my next monthly statement.
Contrast that with the suggestion to look at your EOBs! The forms are completely incomprehensible in addition to being delayed and often inaccurate. I usually toss mine right in the trash.
I’m sure my insurer would provide me with a list of claims paid, but it’s not something a person would routinely request.
The site freely admits that correcting medical records is tough:
But be warned. Correcting records can be hard. In general, federal law lets patients correct medical records created only by the medical provider or insurer that now maintains your information. A hospital or insurer that later receives your information doesn’t have to correct its records,”even when they’re wrong.
So crooks are apparently taking advantage of the fact that stolen health information is likely to be useful for much longer than stolen financial information. Until that changes –and don’t hold your breath– health information is likely to continue to grow in popularity among thieves.
Looking on the bright side, maybe health plans will figure out a way to make EOBs more readable, useful, and timely. That would be a relief for members and also improve fraud detection.
Posted in Economics, Entrepreneurs | 
5 Comments »
May 27th, 2008 at 10:52 am
This is a great article to keep people informed about the dangers of stolen information. Many individuals use their insurance without checking the charges. It is important to keep in contact with your provider.
June 1st, 2008 at 9:45 am
[...] Health Wonk Review: Post-Memorial Day Edition [Welcome Kaiser Network readers!] Welcome to this week’s edition of all that’s wonky in the healthcare world. As a 4-timer, I was tempted to out-shtick myself, but decided to play it straight (for once). And so, without further ado… Paul Hsieh poses an interesting question at We Stand Firm: What would health insurance look like in a truly free market? I really liked the Q&A format of this post. The Health Business Blog’s David Williams has a chilling post on identity theft, specifically crooks who take advantage of the fact that stolen health information is likely to be useful for much longer than stolen financial data. Sam Solomon, blogging at Canadian Medicine, draws a connection between global warming and mortality rates. Brian T. Schwartz, writing at Patient Power, has a real issue with the concept of mandatory health insurance. Dr Deb Serani reports on a VA facility in Texas, whose cost-conscious administrator has apparently put the kibosh on any more PTSD diagnoses. HWR’s Julie Ferguson is out of the country, but her Workers Comp Insider partner, Jon Coppelman, has his own take on that VA administrator. Alvaro Fernandez, blogging at Brain Health Business, explores how people can use emerging technologies to keep their brains healthy and productive as long as possible. Here at IB, we’re big fans of transparency in health care (and health insurance). Over at his New America blog, Tom Emswiler talks about the newest HHS program, which lets consumers compare cost data at nearby hospitals. Vince Kuraitis, principal of e-CareManagement, tells us about the newest delivery and financing model to rescue primary care, the Patient Centered Medical Home (PCMH). Shaheen Lakhan, the Brain Blogger, presents a Patient Manifesto. He points out that each of us may also be a patient and so many blog posts are about medical topics and issues, but not about the patients. Over at Health Populi, blogger Jane Sarasohn-Kahn discusses the rising cost of health insurance, especially from the employers’ standpoint, and wonders if we’ll see more employers dropping cover, or requiring a bigger bite out of the employees’ paycheck [ed: Yes]. At the Disease Management Care Blog, Jaan Sidorov discusses the cost/benefit dilemna when looking at med’s that treat brain cancers, and how making the decision on whether or not to even use them can cause more stress. Anthony Wright, of the Health Access California blog, asks what, exactly, constitutes insurance coverage? He posits that, at the very least, coverage should protect a consumer against unlimited financial liability. The Internet Marketing Blog’s D. Singh takes a close look at the new, improved Google Health, and comes away concerned about whether or not we should trust the search-engine behemoth with our private medical data. Speaking of Google Health, Health Care Industry blogger David Hamilton is quite concerned that Google has hedged its exposure in the event a privacy breach occurs. In fact, it appears that the company actually requires users to defend against or settle any suit brought against Google. Finally, you might think that insurance agents would welcome presidential wannabe John McCain’s market-based solutions. Not so fast: Our own Bob Vineyard takes the good senator to the woodshed, instead. That’s all for this week’s edition. Please make sure to stop by the Health Affairs Blog on June 12th for the next exciting episode. [...]
December 18th, 2008 at 1:47 pm
[...] However, medical identity theft remains a big problem. I was surprised a few months ago to learn that stolen medical information is more valuable than stolen credit cards. (See Why stolen personal health information is so valuable.) I think that’s because banks are quick to notice fraudulent card use and cancel cards, whereas insurance companies could take forever to notice someone’s medical identity being used fraudulently. This problem would exist even without web-based EHRs, however. [...]
April 9th, 2009 at 12:42 am
[...] at a couple of prominent US health care organizations. As I’ve discussed recently (see Why stolen personal health information is so valuable), medical records are particularly valuable to thieves. Their value has remained high even as the [...]
July 21st, 2011 at 6:31 am
The web is no longer safe. You wouldn’t want your personal health information falling into the wrong hands.
Besides you can always keep your own health tracking record at home. Make sure the place where you plan to exercise is clean first. No one would plan of looking for you there.