Your medical records are a gold mine for cybercriminals


Some say privacy is an illusion. I hope that isn’t true, but I do know that our medical records are not safe. Why should you care? Because our medical records contain our social security numbers, health insurance information, our home addresses, phone numbers, emergency contacts and their phone numbers, our email addresses, possibly our driver’s license numbers, and likely credit card payment information. Ever paid your co-pay with a credit card?

Your medical record is worth ten times more to a cyber criminal than your credit card number. And with health care’s mandatory transition to electronic medical records, cyber thieves have taken full advantage.

If you think major institutions are immune to cyber attacks, think again. You might recall the cyber attacks on our U.S. government. One in particular compromised personal information on 22.1 million people and 5.6 million fingerprints were stolen.

No doubt you’re aware of the major ransomware attacks on hospitals across the country where cyber criminals seized patients’ electronic medical records and held them for ransom to be paid in Bitcoin.

According to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft, 90 percent of health care organizations have been hacked, exposing millions of patients’ medical records.

You probably remember the cyber attacks on these major health insurers, Blue Cross Blue Shield. Over 10 million patients’ medical records were exposed. 65 percent of medical theft costs each victim $13,500 to resolve the crime.

According to Modern Healthcare, nearly one in eight patients have had their medical records exposed in breaches in the United States. Since that article was published in 2014, that number has likely doubled.

You might be asking yourself, “What could cyber criminals do with my personal information housed in my medical records?”

Cyber criminals can monetize your personal information to obtain credit cards or loans, commit tax fraud, send fake bills to insurance providers, obtain government benefits from Medicare and Medicaid, and much more. Your personal information can also be used to purchase health care services, prescription medications, and medical equipment. It can also be used to obtain your credit report.

The above can also corrupt your medical history with inaccurate diagnoses and treatments.

This is pretty scary stuff. I’ve heard from friends and colleagues that they can only take in small amounts of this information because it’s frightening and they feel it’s beyond their control.

There is something you can do.

It is up to doctors, hospitals, and other healthcare organizations/companies to secure their electronic medical records, backup hard drives, use secure cloud platforms, encrypt emails, update software and more. Many just aren’t doing it.

According to the HIPAA Breach Notification Rule, a hospital or health insurance company that has been victim of a security breach, must inform patients. Unfortunately many do not. Patients find out about errors on their Explanation of Benefits (EOBs,) in letters from collection agencies, by finding mistakes in their health records or on their credit reports.

As a patient, you are at risk. So am I. And we are all patients even if we just see a physician once every year or two. Had a baby? Had a vaccine? Been treated for the flu? All of us are patients and have been since we saw pediatricians when we were kids.

What you can do to protect yourself

1. Read your Explanation of Benefits (EOBs) that are sent from your health insurance plan. Call your health insurance company if you do not recognize a charge.

2. Get copies of your medical records from medical providers and review them for errors. Look out for misdiagnoses, incorrect pre-existing conditions, procedures you didn’t have, incorrect treatments, and more. If you have trouble understanding your medical records, ask your doctor or his/her nurse to help you understand the information.

3. Monitor your credit reports and billing statements for errors.

4. Do not give out your social security number to anyone unless absolutely necessary. Often the last four digits will do.

5. If you have your medical records or any personal information on your smartphone, be careful about using public Wi-Fi. This includes any hospital. If you are a patient or visitor at a hospital, make sure the Wi-Fi is encrypted If you send or receive an email or browse the internet while using public Wi-Fi that is not encrypted, a hacker can eavesdrop on your transmission and gain access to the information on your device.

6. Set your laptop or computer to manually select the public Wi-Fi network in the healthcare facility you are in.

7. Look for web addresses that begin with https. These are more secure.

8. Do not share personal information on file sharing sites. Often they are not secure, according to Becker’s Hospital Review, “10 Ways Patient Data is Shared With Hackers.”

For computers, the FBI recommends:

  • Keep your firewall turned on.
  • Install and/or update your antivirus software.
  • Keep your operating system up to date.
  • Be careful what you download
  • Turn off your computer at night.

For more information on cyber attacks, cyber security, data mining and patients medical records, see the following:

How much health care data is minded without your knowledge?

Rapid Increase of Cyber Attacks

Patients’ Medical Records hacked at Alarming Rate

Martine Ehrenclou is a patient advocate.  She is the author of Critical Conditions: The Essential Hospital Guide to Get Your Loved One Out Alive and the Take-Charge Patient.

Image credit:


View 8 Comments >

Most Popular

✓ Join 150,000+ subscribers
✓ Get KevinMD's most popular stories