Your medical records are a prime target for hackers and identity thieves, but the healthcare industry is not prepared to deal with a surge in data breaches, security incidents and criminal attacks, according to a new report by the Ponemon Institute released on Thursday.
"Organizations in the healthcare space are not playing their 'A game' in terms of security and data protection," said Larry Ponemon, founder and CEO of the Ponemon Institute. "There are some exceptions, but generally speaking, healthcare providers either lack the resources, staff or the technical innovations to meet the changing cyber-threat environment."
The 2015 Study on Privacy and Security of Healthcare Data is based on information provided by healthcare organizations large and small, as well as related businesses that often deal with healthcare records.
The report concluded that no healthcare organization, regardless of size, is immune to a data breach. And in fact, half of all the organizations surveyed have "little or no confidence" in their ability to detect every theft or loss of patient data.
Other key findings:
- 91 percent of the healthcare organizations surveyed had one data breach during the past two years; 39 percent experienced two to five breaches and 40 percent had more than five
- Data breaches are costing the healthcare industry $6 billion a year
- Cases of medical identity theft have nearly doubled in the last five years, from 1.4 million adult victims to more than 2.3 million in 2014
"Consumers should be mad as heck that their personal medical information is being lost, stolen and exposed at a greater rate than ever," said Rick Kam, founder and president of ID Experts, which sponsored the study.
Perhaps the most eye-opening finding in the report is the increase in criminal attacks -- up 125 percent since 2010. These breaches, resulting from a cyber attack or a malicious employee inside the company, are now the leading cause of medical data breaches.
Until now, the primary way medical records became compromised was through carelessness -- maybe a lost or stolen computer -- what Ponemon calls "good people doing stupid things." And that still happens. But now, organized criminal gangs from Eastern Europe, Russia, China and Iran are trying to steal this valuable information.
A medical health record is extremely valuable. Experts say it can sell for $60 to $70 on the black market, as compared to just 50-cents or a dollar for a stolen Social Security number.
The worst kind of ID theft
Medical identity theft is more worrisome -- and often more difficult to resolve -- than dealing with a stolen credit card number. Besides financial information, your medical file may also contain your Social Security number and date of birth. It can also provide the thief access to your medical records.
"Medical identity theft is 100 times worse than financial identity theft -- it could actually kill you," Kam told NBC News.
For example, if an impostor uses your medical identity to have surgery done, their personal information -- such as blood type or allergies to medications -- could wind up in your medical file. Imagine all the problems that could cause. And you might never know your file had been contaminated this way.
Medical identity theft victims spend an average of $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records, the Ponemon study reported.
If your data is breached, don't expect to get help from those who were supposed to keep it secure. The survey found that nearly two-thirds of healthcare organizations and their business affiliates do not offer any protection services for patients whose information is stolen.