Fly in the Ointment: Are Hackers Paying Healthcare Workers to Expose Patient Records?

When you hire a new employee to join your medical organization, you try to choose someone smart, hardworking and trustworthy. But since we live in an imperfect world, these new hires don't always work out. Maybe the newbie was a slow learner, or repeatedly late to their shift, or maybe they just didn't mesh with the company culture. Whatever the reason, they had to be let go.

While this is an uncomfortable decision to make, there is a lot worse that could happen. For example, having your new employee steal and resell patients' medical information. Yikes!

Thankfully, CyberPolicy offers healthcare cybersecurity insurance to protect hospitals, doctors' offices and other healthcare organizations against the deleterious effects of cybercrime and data breach.

Coming Down with a Case of Collusion
According to HIPAA Journal, cybercriminals and fraudsters often target the lowest compensated healthcare workers and pay them to steal patients' personal information, including names, addresses, dates of birth, Social Security numbers, admitting diagnoses and insurers. This information is often published to a digital black market, known as the dark web, to be used in identify theft scams.

Just how valuable is this data? Unlike stolen credit card numbers which are sold for a mere dollar or two, pilfered medical records are worth up to $40 to $50! That's because credit cards have a relatively short shelf life due to expiration dates and cancellation policies, whereas Social Security numbers last a lifetime.

As you can see this is a pretty profitable, albeit illegal, business model for hackers. Just pay a low-level healthcare employee for their efforts, flip some of the records online for quick cash and exploit a few of the records yourself for a windfall of ill-gotten gains. Clever cyber crooks could even run this operation at several different hospitals without facing criminal prosecution.

But what about the healthcare insiders or accomplices? If caught, they could face termination or criminal charges. But then again, your organization could also face a class-action lawsuit for allowing the data breach and unwittingly exposing patient health information.

Take for instance Tampa General Hospital which agreed to pay plaintiffs $10,000 in damages (and up to $7,500 to cover litigation expenses and attorney fees) after an individual was arrested for possession of patient records. The person in question allegedly purchased patients' data from a disgruntled hospital employee.

If you want to avoid a similar fate, consider investing in a healthcare cybersecurity insurance policy that protects you in the event of data breach, class-action lawsuit and cybercrime.

Additionally, you'll want to educate your employees about the risk of sharing data outside of your organization or through unencrypted channels; after all, most data breaches are caused by employee negligence rather than internal conspiracy.

Finally, if you do discover that one of your employee has been spilling secrets and patient information, fire them. It's much better to look for a new employee than risk the damages to your reputation. Remember that people trust your organization to improve their health and wellbeing; and that includes the security of their most private information.

Interested in what CyberPolicy can do for you? Click the link to get your free quote today!

© 2016-2020 CyberPolicy, Inc. All rights reserved. CyberPolicy®, "Plan. Prevent. Insure."™, and "CyberCheckup"™ are trademarks of CyberPolicy, Inc.
DBA: CyberPolicy Insurance Solutions CA License No. 0L13180
DBA: CoverHound Insurance Solutions CA License No. 0H52375