On Wednesday I blogged about how hospitals are the highest risk for data breaches. Some have emailed me asking why criminals would even care about Personal Health Information (PHI). Sure, it’s private information but what use is it to a criminal? The Digital Health Conference last year discussed this question and a panel of cyber security specialists determined that a single PHI record is worth $50 on the black market. This is the same value given by Pan Dixon, executive director of the World Privacy Forum in a 2007 interview. So what makes these records worth $50, a value higher than that of social security numbers or credit card information? Criminals can use a health record to make fake medical claims, purchase prescriptions or receive treatment under a false name. Since medical information cannot be “canceled” as easily as a credit card number, criminals have a much larger window in which to exploit the information.
For these reasons, PHI records are a tempting target for criminals, especially with the rising costs of health care. So, yes, you should be concerned about the disclosure of your medical records because it does present a real threat to patients. This is why it is so important for organizations that handle PHI to have adequate security controls in place whether they’re clinics, medical billing, insurance providers, or business associates. Adhering to HIPAA helps but being compliant doesn’t necessarily mean you are secure.