The Value of Protected Health Information (PHI) To Hackers: Understanding the Risks and Implications

The Value of Protected Health Information (PHI) To Hackers: Understanding the Risks and Implications

In today’s digital world, hackers have exploited the newest technologies to steal protected health information (PHI) from hospitals and other healthcare facilities. These malicious actors will go to great lengths, such as bundling malware with legitimate downloads to gain unauthorized access. As the number of breach incidents in hospitals increases, one can’t help but wonder why PHI is valuable to hackers.

This article will discuss why a patient’s protected health information is valuable to hacks, along with its risks and implications.

value of phi protected health information

Understanding the Value of PHI To Hackers

The HIPAA Privacy Rule defines protected health information or PHI as any data within an individual’s medical record that can identify them as a patient. It contains valuable information such as names, addresses, biometrics, ID numbers, and health insurance details. It also includes information about a patient’s laboratory tests, diagnoses, and treatment.

For hackers, patient records containing PHI are of great value, for they can be used to commit malicious activities such as identity theft and medical fraud. Hackers may also use PHI to extort money from healthcare facilities. Take what happened to Peachtree Orthopedics, for example. The Georgia-based orthopedic center recently fell victim to an extortion case wherein an unauthorized third-party gained access to the institution’s PHI.

So, if you’re wondering why PHI is valuable to hackers, here are three probable reasons:

1. Higher selling price

Unlike other forms of information, hackers can sell PHI at a higher selling price. According to an article posted in Imprivata, a healthcare record’s selling value could go as high as $250 per record when sold on the black market. That’s approximately 46.30 times pricier than a payment card’s price, which currently sells for around $5.

2. Long shelf life 

When stolen, PHI can be stored for an extended period, unlike other forms of information. For instance, hackers prefer to steal a person’s protected health information than his credit card since the latter is easier to cancel the card or call the bank for assistance. However, with PHI, individuals are often unaware of their medical records being compromised or stolen. If not for a breach notice from a hospital or any healthcare facility, then it’s unlikely for them to know that they have already fallen victim to a data breach.

3. Multiple uses for data 

PHI is extremely valuable for hackers because they can use the data in different ways. They can use it to make false medical claims, buy prescriptions, or receive treatment. These can pose real threats and risks to patients who are actual owners of the compromised medical information.

The Value of Protected Health Information (PHI) To Hackers: Understanding the Risks and Implications

Implications of PHI Breaches: Financial, Legal, and Reputational Consequences

Knowing why PHI is valuable to hackers is one thing, but it’s also important to be aware of the consequences pertaining to PHI breaches. It is also worth noting that anyone can be criminally liable if they intentionally misuse or obtain PHI. Criminal penalties and jail time will depend on the severity of the case.

Wrongful disclosure of PHI

If the individual did not know that they violated a rule or showed a lack of knowledge about their violation, they could end up paying a $50,000 to $250,000 monetary penalty or one year in prison.

Wrongful disclosure of PHI under false pretenses

If a person or entity discloses the PHI without permission or consent, they can face up to five years of prison and a $100,000 fine.

Wrongful disclosure of PHI under false pretenses with malicious intent

Hacking incidents fall under the most severe HIPAA violation. Anyone who unlawfully obtains PHI to sell, transfer, or use the data for personal gain, commercial advantage, or malicious harm can face ten years of prison time and up to a $250,000 fine.

Factors Driving the Demand for PHI on the Dark Web

There are multiple factors that drive hackers to steal PHI and sell them on the dark web. Getting money from their victims is one of the primary reasons why hackers target PHI.

Here are some of the factors that drive hackers to steal and sell protected health information on the dark web:

Extortion

Cybercriminals demand ransom money from individuals or medical providers in exchange for restoring access to critical health data or preventing the release of sensitive medical information to the media.

Medical Fraud

Hackers obtain healthcare services for free using another individual’s valid health insurance card. They may also use the stolen health information to buy drugs (e.g., prescription medicines) or medical equipment and sell those to make a profit.

Identity theft

Those who steal PHI from others may use the personal information obtained to create fake IDs. They may also use a valid Social Security number to open lines of credit and use it for their own gains.

Data laundering

Cybercriminals sell stolen data from medical records to businesses or repackage insurance claims data. They aim to make illegal data look like legitimate information as if it were obtained legally.

The Value of Protected Health Information (PHI) To Hackers: Understanding the Risks and Implications

Safeguarding PHI: Best Practices for Healthcare Organizations

To prevent hackers from stealing valuable patient information, make sure to implement the following best practices for HIPAA compliance:

1. Conduct regular assessments and reviews

Implement frequent evaluations of your current privacy and security policies related to data encryption, risk analysis, access controls, and more. Identify gaps in your data privacy protocols and improve them according to HIPAA compliance regulations. Document these findings as well as the action plans you took to resolve the privacy risks within your electronic health records and systems.

2. Train your employees regularly on HIPAA standards

Conduct employee training on the HIPAA standards and policies during onboarding and annually. With proper HIPAA training, your organization can promote awareness and emphasize the importance of maintaining PHI integrity. You can also educate your employees on the proper handling of digital and physical. In this regard, employees need to recognize malicious activities to prevent data breaches and unauthorized PHI access.

3. Implement technical and physical safeguards

Always enable end-to-end encryption when sending attachments or faxing patient records with PHI. It also helps to implement multi-factor authentication and change your passcodes regularly. Monitoring who can access PHI should include those outside your organization or digital database. Implementing additional security safeguards like installing security cameras and following the HIPAA double lock rule is also crucial.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
Safeguarding Privacy With HIPAA Forms for Patients
Safeguarding Privacy With HIPAA Forms for Patients

In this article, you will learn why HIPAA forms for patients are necessary for healthcare providers ...

Read Story
HIPAA Training Courses and Programs: Everything You Need to Know
HIPAA Training Courses and Programs: Everything You Need to Know

This guide will walk you through the HIPAA training basics and the courses available for you to take...

Read Story
HIPAA Violation Credit Dispute: What You Need To Know
HIPAA Violation Credit Dispute: What You Need To Know

This guide helps you understand HIPAA violation credit disputes and the steps you can take to initia...

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.
    Arrow-up