The Black Market Value of Personal Health Information

Did you know the value of a single piece of an individual’s personal health record exceeds the value of the same individual’s credit card number by 10 or even 20 times?



The Insurance Journal reports a single credential – such as the person’s date of birth, diagnosis code, billing information, or insurance policy number – can sell for as much as $10 on the black market. A full, intact health record containing the patient’s entire health profile can sell for as much as $500. Why? Because possession of this information enables criminals to fraudulently bill insurers for thousands of dollars making the theft of personal health information a very lucrative business.


IDC estimates by the end of 2015, half of all healthcare organizations will experience between one and five cyber attacks with one third of those attacks resulting in a successful breach. Security experts at Websense agree, reporting they saw 600% increase in attacks on hospitals in 2014.


Why is the healthcare industry a target for cyber attacks?


The healthcare industry is a target for cyber attacks for two reasons: the value the personal heath record holds for thieves and the low emphasis healthcare providers place on data security as a whole.


Kalleo has been providing IT support to the healthcare industry for over a decade. We regularly see first-hand evidence of the lack of priority that is placed on data in the healthcare industry as compared to other industries we serve.  It is time for healthcare industries to recognize the enormous value of the healthcare data they possess and take appropriate steps to protect it.  While improving data security may seem to be an overwhelming process, there are some simple steps that may be taken to significantly decrease your risk of data breach.


#1: Invest in your network


Keep your PC and server operating systems current and patched regularly. Update the software packages in use by your practice as updates become available. Install security software across your network. Set up firewalls. Secure your wireless network. Be aware of what ports are open on your network and close any that are unnecessarily open. Proactively monitor your network for activities that should not be taking place in your environment. Doing all of these things will reduce the level of risk in your network environment.


#2: Train your users


Building and maintaining your network foundation is not enough. You can have the best security tools and staff available but they will do little to protect you if your employees are not educated. Review your company’s acceptable use policy as part of your new employee onboarding process. Educate your employees about best practices with regard to internet safety and security. Include training about email scams and phishing attacks. Also teach your employees what types of information you deem to be sensitive and how to properly handle the disclosure of that sensitive business information to others.


The National Cyber Security Alliance offers free resources to get you started with your training. Access their materials at


#3: Use a web filter


Consider the use of web filters to control what websites can be accessed by users on your network. Encryption and security expert Beachhead Solutions reports 52% of organizations experienced an increase in malware attacks as a result of employees’ use of social media. Social media is the perfect place for cyber criminals to prey on victims due to the sheer quantity of individuals accessing these sites daily.  Facebook had an average of 890 million daily active users in December of 2014. What may look like a harmless message or wall post may actually be a phishing scam. The typical user may not recognize the risk and as a result compromise your entire network. By using a web filter you can blacklist websites like social media pages which pose a risk to your network environment by preventing user access to those sites.


#4: Encrypt your data


HIPAA HITECH compliance requires electronic personal health information to be unusable, unreadable or indecipherable to unauthorized individuals. Despite your best efforts to secure your network, train your employees and block access to harmful websites, you could still be a victim of lost or compromised data.  The best way to ensure your patient information remains unusable should it fall in the hands of cyber thieves is to encrypt it. Encrypted data requires a secret key or password to access the information. There are cost-effective tools today that encrypt your data automatically and with no adverse impact to your users.


Securing your data and establishing acceptable use policies can be an overwhelming process – one that can be easy to put off if you do not know where to start.  The risk of data breach and the resulting consequence of such a breach is simply too great to continue to ignore. Follow these steps and get on your way towards protecting your patients’ personal health information.

Leave a Reply

Your email address will not be published. Required fields are marked *