The State Of Health Data For Vulnerable Populations, Why Cybercriminals Target Children, The Elderly, and the Dead
Jessica Sganga and Kenneth Wang of Knobbe Marten write:
As of 2021, more than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. While credit cards and social security numbers are perennial favorites, cybercrime has begun to favor the theft of electronic medical records (EMR) as sources of revenue. With banks and major financial institutions starting to wise up and tighten their electronic security, cybercriminals have begun to target vulnerable healthcare institutions with a particular focus on the records of children, elderly people, and the deceased.
Compared to credit cards and social security numbers, health records are often more lucrative for cyber criminals. Most credit card and social security numbers sell for about $5, while medical records fetch an average of $250, with the most complete records reportedly going for $1,000..
I’m going to stop this right there, as they are just repeating inaccurate information that has been previously called out as inaccurate. Experian corrected their error years ago after I pointed it out to them and yet many people still link to and repeat the old incorrect information. Similarly, a study done years ago that found a medical record could have a selling/asking price of $250 has no real predictive value in today’s market, where the market has been flooded, and a medical record might sell for a few dollars unless it belongs to some celebrity or person of great public interest.
There are good reasons to consider youth and the elderly vulnerable populations, but let’s not exaggerate the commercial value of records or data. DataBreaches.net sees patient information records on a daily basis from hacks, dumps, and misconfigured storage servers. When you see a 10-page scanned file on a patient that has PII and PHI, you might think “Great!” Then again, you may realize how time-consuming it would be to extract information from scanned pdfs in bulk. If someone needs just one record, ok, but many criminals would not invest their time in data unless it is in readily usable format.