BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Medical Info for Sale Online

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 24 Sep 2013 00:09:03 -0600
http://www.nbcwashington.com/investigations/Medical-Info-for-Sale-Online-224954762.html

You can find almost anything on the Internet these days. The News4 I-Team
discovered with just a few clicks and a couple hundred dollars anyone can
even buy private medical details online that only you and your doctor
should know.

“There are between one and two million Americans affected by medical
identity theft each year,” Lisa Schifferle, with the Federal Trade
Commission, told the News4 I-Team. “It can happen in all sorts of ways.
There can be insiders that are paid to steal information from hospitals and
nursing homes."

D.C. has had its share of breaches. In 2012, more than 66,000 people were
put at risk after someone stole a Howard University Hospital contractor's
laptop. In 2011, the company which provides healthcare for the military,
Tricare, lost tapes containing private information of almost five million
people.

A Howard University Hospital spokesperson said there’s no evidence that any
private information on that stolen laptop was misused. After the incident,
the hospital toughened up security procedures with encryption and more
HIPPA retraining. Tricare said it could not comment on the case involving
its lost tapes due to ongoing litigation.

So, where does the compromised information end up? According to the FTC,
the information often goes overseas, sold for big bucks. “Some studies have
indicated that on the black market, you can get more for medical
information than you can for a social security number," Schifferle said.

Terry Martinez was shocked when the News4 I-Team showed up at his door with
private information we found for sale online. “That's my social, date of
birth, IP address. They got everything. My driver’s license number. They
even got the term life insurance," said Martinez as he looked through what
we found.

When the News4 I-Team asked him if he had ever checked to see if his
medical records had been compromised, he told us, “No. I hardly ever even
go to the doctor. Very seldom do I ever check that."

Martinez knew something was up, though, since he’s been fighting for the
past year to get his identity back after discovering someone tried to file
his taxes and emptied his bank account. But Martinez had no idea some of
his medical information was floating around on the Internet, too.

He’s not alone. The News4 I-Team found private information for people all
over the D.C. area, including physician contacts, insurance providers,
whether people smoke and even the amounts of insulin doses administered
each day.

The man who was selling the information agreed to talk via Skype from Costa
Rica but would not show his face.

He said he got most of the current medical records from India, where call
centers gather information by phishing over the phone. In those call
centers, he said, “You're going to see people buying data, selling data,
like it was candy at a store."

The seller also described how the operation worked when he, himself, was a
telemarketer for an overseas company. He said callers would try to get
missing private details from people over the phone. “They gave me a script
that I had to read,” he said. Part of the script read, “’So, what is your
name? What is the doctor's name?’ When we didn't even have the doctor's
name on it,” he explained. “We were just saying that."

Those private details were then often sold to medical companies that
targeted people with health conditions and charged insurance companies for
services and supplies.

You can protect yourself. The FTC says everyone should check their credit
report for unusual medical bills or charges. Ask your health insurance
provider for a list of benefits in your name. And never provide medical
information to a caller over the phone.

If you do find out you have been a victim, you should file a complaint with
the FTC and police. Also, contact your medical providers.

The U.S. Department of Health and Human Services started tracking medical
data security breaches affecting 500 or more people. To search breaches in
your area, click here. (
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
)

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: