The real reason that EHR is so valuable.

Why are hacked healthcare records so valuable? It’s because they can be combined with other information to create a complete identity kit. Make no mistake—in most cases the stolen health information is the foundation of a counterfeit identity. That is why health records are so valuable to criminal groups around the world. Stolen patient records often end up for sale on the deep web as part of information packages called “fullz” and “identity kits” that can be used by fraudsters to commit a wide variety of crimes.

Typically after a health record hack, the data will “go dark” for some time before resurfacing in different variations. Initially, it will look like basic short-form ID theft material, but eventually the entire electronic health record will surface as a ‘fullz’ – the slang term on the deep web for a complete long-form document that contains all of the intricacies of a person’s health history, preferred pharmacy, everything that a criminal needs to build a counterfeit identity. These “fullz” typically sell for as little as $20 each but can be combined with other documentation to create a much more expensive, and profitable, identity kit.

After the full EHR surfaces on the deep web what happens next, is the people who purchase those records, the “fullz,” then go to another vendor on the deep web for what’s called ‘dox,’ the slang term for documentation, where they then proceed to have passports, drivers’ licenses, and Social Security cards created. The documentation costs a few hundred dollars and is combined with the EHR to create a full identity kit. From the foundation of stolen EHR they are able to create everything they need to create the counterfeit imitation of the victim. Once the information is all packaged together as an identity kit it can be sold for $1,500-$2,000.

Those ID kits are then used for a wide variety of criminal activities, including illegal immigration, human trafficking, and pedophilia as well as launching more attacks using social engineering which is infinitely simpler with all the background information in-hand.

The key to protecting your patient’s valuable health records is layered security and staff education. At the very least you should be asking the following questions:

Is our data compartmentalized or can anyone in our system access it?

What are we doing to detect abnormalities within our systems?

Have our employees been trained to protect patient data?

Do our employees only have access to the data they need to perform their job duties?

Protecting health data is of the upmost importance for every healthcare organization and ITPAC is available to help your organization have the plans and policies in place to protect your patients and yourself.