Growing Threat: Medical Identity Fraud Runs Wild Via Online Black Markets


We’ve reported extensively on medical data breaches, but a new ABC News investigation has revealed startling information that our “private” medical records are, data breach or no data breach, just not private.

How can this be?

Turns out there is a growing “black market” where millions of records can be bought online. Because so many people in a healthcare setting have access to online patient records, the entire system is vulnerable to theft.

A security IT specialist with Allegheny Digital named Greg Porter told ABC News that it takes two clicks of a mouse on Google and anyone can find somebody willing to sell a “data dump” of patients. A data dump, for example, may include personal information such as patient names, birth dates, Social Security numbers, insurance provider, and other confidential details.

Another risky issue is the explosive growth of cloud-based, online medical records. There are at least 255 health information exchanges across the United States so far, including 17 each in New York and Texas, 12 in Florida, and 10 each in California and Michigan, and that number is increasing at a steady clip, according to Identity Theft 911 cofounder Adam Levin.

He says the growth is spurred by two reasons: first, medical professionals receive federal grants for updating their systems; second, there are some obvious efficiencies in a cloud-based, paper-free environment.

Levin raised the following issues in a recent editorial:

“As our society moves toward digitization and sharing of a wide range of extremely sensitive data, it is essential that we find approaches to information security that rest on a solid foundation — that are capable of enabling technological and social advances while protecting both the privacy of individuals and the security of our institutions.”

It turns out that our sensitive health information is available to anyone who works in that healthcare setting or has access to the online medical records.

Our expectation is that records remain private under the Health Insurance Portability and Accountability Act (HIPAA), but the reality is that any physician’s notes could be accessed by doctors and other healthcare providers who work in the same healthcare system.

Unfortunately, more than 3.5% of the U.S. population has had their personal health information (PHI) compromised, and due to egregious medical data breaches,  some patients will put off seeking treatment, as they are concerned about the unintended consequences suffered if their PHI becomes compromised.

For example, a Delaware pediatric health facility lost data on 1.6 million patients, while Tricare lost the PHI of approximately five million patients.

And last May, the Department of Health and Human Services announced a $1.5 million settlement with Blue Cross Blue Shield of Tennessee after the company’s inadequate security measures allowed 57 unencrypted hard drives containing private health information to be stolen from a medical facility.

The unencrypted hard drives contained the protected health information of over one million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers.

Privacy Tips

If you believe your information was used or shared in a way that is not allowed under HIPAA rules, you can file a complaint with your provider or health insurer. The notice of privacy practices you receive from them will tell you how to file a complaint. You can also file a complaint with the Department of Health and Human Services’ Office for Civil Rights or your State’s Attorneys General office.

If you believe that an online company that is not covered by HIPAA, such as a message board, has shared your health information in a way that conflicts with their privacy policy on their website, you can file a complaint with the Federal Trade Commission.


Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Elaine Rigoli

Elaine Rigoli is PRIVATE WiFi's manager of digital content strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.