The Washington PostDemocracy Dies in Darkness

Cyberattacks are on the rise. And health-care data is the biggest target.

Placeholder while article actions load

The recent spate of cyberattacks on retailers has scared shoppers and triggered debates on Capitol Hill about whether consumers' data is being properly protected. Despite its security flaws, the retail sector isn’t the one most vulnerable to breaches. That dubious honor goes to health care.

A study of all data breaches in 2013 (pdf) found that the health-care sector suffered the highest share of attacks last year, overtaking the business sector for the first time in almost a decade.

The Identity Theft Resource Center, a nonprofit organization that tracks data theft, reported that health-care organizations suffered 267 breaches last year, or 43 percent of all attacks in 2013. That’s significantly higher than the business sector (comprised of retailers, tech companies and others) which suffered 210 attacks, or 34 percent of all breaches. The financial sector was hit by 23 breaches, or 3.7 percent of all attacks.

Unfortunately, the numbers don’t come as a surprise. In 2012, a Washington Post investigation found that the health-care sector was far behind in addressing basic security flaws.

Robert O’Harrow reported:

As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking.
Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.

One caveat: The health-care number may be distorted because of a 2013 federal regulation that requires companies to publicly report breaches affecting 500 or more people. So there’s more data out there on health-care breaches than there is on say, retail attacks. In fact, that’s a practice the retail industry is talking about standardizing right now.

But there’s no doubt the number of data breaches across sectors has increased. Since ITRC began tracking figures in 2005, the number of reported breaches is up nearly 300 percent. In 2013 alone, the number of breaches was 30 percent higher than in 2012. And the leading cause of stolen data last year was hackers.

Why would hackers want to steal your medical records? Well, there’s no limit to the uses they could put it to, according to Sam Imandoust, legal analyst at the ITRC. They could steal your identity using the sensitive data contained in medical records, abuse prescriptions to buy narcotics, or sell your information on the black market.

“If you have someone’s medical records — with their name, social security number and everything else — you can commit any other kind of identity theft,” Imandoust said.

Most of the health-care breaches in 2013 happened at the state level, at hospitals and insurance providers. California was hit by some of the biggest breaches. More than 700,000 patients’ records were compromised when two laptops were stolen from an AHMC Healthcare office near Los Angeles. In New Jersey, more than 830,000 records were stolen in a similar theft at Horizon Blue Cross Blue Shield.

What this means is that while the conversation on protecting the data consumers share with retailers is a good step, there may need to be another one about the health-care system.


How to protect yourself from medical identity fraud