As health data continues to be a prized target for hackers, here’s how to minimize the fallout from a breach impacting your own health records
Digital transformation is helping healthcare providers across the globe to become more cost-efficient, while improving standards of patient care. But digitizing healthcare records also comes with some major cyber risks. Once your data is stored on IT systems that can be reached via the internet, it could be accidentally leaked, or accessed by malicious third parties or even insiders.
Medical data is among the most sensitive information we share with organizations. That’s why it’s given “special category” status by the GDPR – meaning additional protections are required. But no organization is 100% breach-proof. That means it’s more important than ever that you understand what to do in the event your data is compromised – to minimize the fallout.
In the first 10 months of 2023 in the US, over 88 million people had their medical data exposed, according to government figures. The number could be even higher once organizations not regulated by patient privacy law HIPAA are taken into account.
Most notably incidents over recent years include:
Among the medical data potentially at risk is your:
This information could be used by threat actors to run up bills on your credit card, open new lines of credit, access and drain your bank account, or impersonate you to obtain expensive medical services and prescription medication. In the US, healthcare records could even be used to file fraudulent tax returns in order to obtain rebates. And if there’s sensitive information on treatments or diagnoses you’d rather be kept secret, malicious actors may even try to blackmail you.
If you find yourself in a worst-case scenario, it’s important to keep a cool head. Work systematically through the following:
Read through the email carefully for any signs of a potential scam. Tell-tale signs include spelling and grammatical mistakes and urgent requests for your personal information, perhaps by asking you to ‘confirm’ your details. Also, look out for a sender email address that doesn’t match the legitimate company when you hover over the “from” address, as well as for embedded clickable links which you’re encouraged to follow or attachments you’re being asked to download.
The next critical step is to understand your risk exposure. Exactly what information has been compromised? Was the incident an accidental data exposure, or did malicious third parties access and steal your data? What type of information may have been accessed? Was it encrypted? If your provider hasn’t answered these questions adequately then call them to get the information you need to take the next steps. If it’s still unclear, then plan for the worst.
If malicious actors have accessed your PII and medical information, they may sell it to fraudsters or try to use it themselves. Either way, it pays to monitor for suspicious activity such as medical bills for care you didn’t receive, or notifications saying you’ve reached your insurance benefit limit. If financial information has been compromised, keep an eye on bank account and card transactions. Many organizations offer free credit monitoring, which notifies you when there are any updates or changes to your credit reports which could indicate fraud.
It goes without saying that you should report any suspicious activity or billing errors immediately to the relevant provider. It is best to do so in writing as well as notifying your insurer/provider via email/phone.
Depending on what personal information has been stolen, you might want to activate a credit freeze. This will mean creditors cannot access your credit report and therefore won’t be able to approve any new credit account in your name. That will prevent threat actors running up debt in your name. Also consider freezing and/or having new bank cards issued. This can often be done simply via your banking app.
If your log-ins have been compromised in a breach, then the relevant provider should automatically reset them. But if not, it might pay to do so manually anyway – for peace of mind. This will prevent account takeover attempts – especially if you enhance you security by dint of two-factor authentication.
If fraudsters get hold of your personal and medical information, they may try to use it in follow-on phishing attacks. These could be launched via email, text, or even live phone calls. The aim is to use the stolen info to add legitimacy to requests for more personal information like financial details. Remain vigilant. And if a threat actor tries to extort you by threatening to expose sensitive medical details, contact the police immediately.
If your data was compromised due to negligence from your healthcare provider, you could be in line for some type of compensation. This will depend on the jurisdiction and relevant local data protection/privacy laws, but a legal expert should be able to advise whether an individual or class action case is possible.
Given that medical records can fetch 20 times the price of credit card details on the cybercrime underground, cybercriminals are unlikely to stop targeting healthcare organizations anytime soon. Their ability to force multimillion-dollar pay-outs via ransomware only makes the sector an even more attractive target. That’s why you need to be prepared for the worst, and know exactly what to do to minimize the damage to your mental health, privacy and finances.