Doxxing Raises the Stakes of Ransomware for Healthcare Providers
Jack Danahy of Barkly writes, in part:
In a very short time, ransomware has grown from a known but infrequent cyber attack to a profitable and widespread epidemic. Attacks are increasing in frequency and severity. On average, a new business is attacked every 40 seconds, and a disproportionately high number of victims are healthcare providers. In fact, research shows that healthcare providers were 4.5X more likely to be hit by Cryptowall ransomware than operators in other industries.
He then goes on to review the observations of ransomware that threatens to reveal patients’ sensitive information, such as Jigsaw.
For healthcare providers, adding doxxing to the extortion equation transforms ransomware from a critical service issue to a costly matter of HIPAA notification compliance and a case of public data breach, raising the stakes considerably. Organizations are required to report this kind of exposure of unsecured protected health information to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). In addition to potentially issuing a fine — the largest issued to date totaled $4.8 million — the OCR also publicly exposes all organizations experiencing breaches totaling 500 records or more.
This public exposure also puts patients at risk. Stolen medical records released publicly can quickly become fodder for a wide variety of fraudulent activity, from buying and reselling medical equipment or prescription drugs to filing false claims with insurers. Medical identity theft can be a painful and damaging logistical nightmare for patients, potentially ruining their credit and even endangering their lives. Victims experience the consequences of unpaid deductibles, corrupted medical histories, and even prosecution for fraud.
Of course, it’s not only ransomware that can create the risks he describes above. Theft of data with ransom demands – even those attacks that do not involve ransomware – can create the same risks, as I’ve noted previously.
But where are there are any data showing that any of these potential horribles have actually happened as a result of either doxxing ransomware or the sale of patients’ sensitive information? Do we have any actual reports or proof that people have been injured in ways other than the time/stress of having to deal with perhaps changing card numbers, etc.?
I need data.