Forgot your password?
typodupeerror
China Crime Medicine Privacy The Almighty Buck Your Rights Online

Why Chinese Hackers Would Want US Hospital Patient Data 171

Posted by timothy
from the makes-great-gift-wrapping-too dept.
itwbennett (1594911) writes In a follow-up to yesterday's story about the Chinese hackers who stole hospital data of 4.5 million patients, IDG News Service's Martyn Williams set out to learn why the data, which didn't include credit card information, was so valuable. The answer is depressingly simple: people without health insurance can potentially get treatment by using medical data of one of the hacking victims. John Halamka, chief information officer of the Beth Israel Deaconess Medical Center and chairman of the New England Healthcare Exchange Network, said a medical record can be worth between $50 and $250 to the right customer — many times more than the amount typically paid for a credit card number, or the cents paid for a user name and password. "If I am one of the 50 million Americans who are uninsured ... and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details," he said.
This discussion has been archived. No new comments can be posted.

Why Chinese Hackers Would Want US Hospital Patient Data

Comments Filter:
  • by Joe_Dragon (2206452) on Tuesday August 19, 2014 @10:20AM (#47703019)

    Time for medicare for all in the usa also the million-dollar heart transplant is loaded with markup where you can likely go out side of the usa and pay way less for it.

    also due to court rulings in favor of inmate care you can just go to prison / jail to get one as well.

    http://www.cbsnews.com/news/pr... [cbsnews.com]

    • by Anonymous Coward

      The parasites in congress are the problem, not the answer. They're feeding their friends, the lawyers. Let's be honest; It's a lot better for me to order tests than to evaluate a person. The insurance company doesn't pay me to do the latter, and the lawyers are waiting for me to do the former. The more tests I do, the harder a case they have to demonstrate, and the lower my insurance, so higher my profit. It's really simple. Keep electing your lizards instead of their lizards, and healthcare will continue t

      • by alen (225700) on Tuesday August 19, 2014 @10:39AM (#47703185)

        and how many times have people, especially women have gone to the doctor and been ignored or told their symptoms were nothing? when the doctor should have done a test or procedure based on the patient's complaint? or in my wife's case a lower doctor wanted to do a c-section without doing the right tests first and her doctor who was the chief of obgyn at the hospital said no and after they did the tests it was found a c-section was not required

        even then it's hard to sue for malpractice. the lawyers who do this have nurses on staff who review the charts and only a small percentage end up in a lawsuit.

    • Hah! And when the US economy collapse because of it, we will drag China down with us. What comes around goes around.

    • by Charliemopps (1157495) on Tuesday August 19, 2014 @10:52AM (#47703313)

      Yes, because the single payer systems in Europe of trouble free right?

      I'm not saying we don't have an issue, but your 1 step solution is a joke. The same corruption, greed and poor administration that afflicts us now would continue in the new system. It would just include all the problems of government waste and politics as well.

      The problem in the US is states have enacted their own laws governing what treatment is required by law. So states that are pro-patient rights oppose allowing patients being able to seek insurance outside of the state as that would be an end run around their laws. As a result, patients cannot for any meaningful patients rights groups of a large enough size to make a difference in the healthcare market. There aren't enough doctors because younger doctors can make more money doing plastic surgery and other cosmetic specialty work, and the older doctors get pair so much they only feel the need to work 2 days a week. Tuition to medical schools in this country is borderline insane.

      This is a very complex issue and throwing black and white solutions at it while calling your opponents stupid will get your no-where.

      • by jklovanc (1603149) on Tuesday August 19, 2014 @12:28PM (#47704211)

        Take a look at this comparison [wikipedia.org]. Even though the US government pays much more per capita than Canada it does not cover everybody it while Canada does. Here is a possible reason;

        A 1999 report found that after exclusions, administration accounted for 31.0% of health care expenditures in the United States, as compared with 16.7% of health care expenditures in Canada.

        Single payer systems make administration much simpler.

        • Same is true in Oz, overall an Aussie family of 4 pays about 1/10th of the price they would pay in the US for health cover and yet the US has statistically inferior health outcomes.

          The US health system is a (sad) laughing stock of the western world, and is by far the most expensive for individuals. But at the end of the day the irrational fear of "socialism" amongst average americans has given them the inefficient private system they demanded.
      • I'm serious. Where did you go to school? Because I want to make sure that absolutely nobody I know goes there. Wow. If your plan was to take the daily prize for grammatical errors, missing words, lack of sense, and so on, well, congratulations as we have a winner.

        You're (you might notice that I spelled that correctly) the only person I know of to ever mention individual state laws as a health care problem. A law can simply be passed making health care a federal matter to deal with that. And tu
      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Yes, because the single payer systems in Europe of trouble free right?

        I'm not saying we don't have an issue, but your 1 step solution is a joke. The same corruption, greed and poor administration that afflicts us now would continue in the new system. It would just include all the problems of government waste and politics as well.

        "Government waste"? Every other health care system in the world has lower costs that the US as a percentage of GDP and per capita:

        http://www.theguardian.com/news/datablog/2012/jun/30/healthcare-spending-world-country

        You would reduce waste by going with single-payer.

        And these costs don't even get the US the highest life expectancy or lowest child mortality rates.

        I'm sure there are good arguments against single payer, but worries about waste are not one of them.

      • by radarskiy (2874255) on Tuesday August 19, 2014 @01:33PM (#47704767)

        "Yes, because the single payer systems in Europe of trouble free right?"
        1) Where did the OP claim that it was trouble free?
        2) Why does it have to be trouble free before it can be useful?

      • by nbauman (624611)

        Yes, because the single payer systems in Europe of trouble free right?

        Ever hear, "Price, quality and service. Pick any 2." The Europeans, and Canadians, have decided that they would let their waiting times increase to what they feel is a tolerable amount. In exchange, they have quality about equal to ours and it costs around half of what we pay.

        I've compared the outcomes of surgery, cancer, heart disease, and other treatments in the US/Canada/Europe/Australia, and they're all about the same in developed countries. Some of the best outcomes are in the Veterans Affairs system -

    • the million-dollar heart transplant is loaded with markup where you can likely go out side of the usa and pay way less for it.

      Yeah. With heart transplants, as with anything else, you get (more or less) what you pay for. Sure, that discount heart transplant you paid $30 for in Mumbai *might* be just fine...but I'd bet my life against it.

    • by nbauman (624611)

      Time for medicare for all in the usa also the million-dollar heart transplant is loaded with markup where you can likely go out side of the usa and pay way less for it.

      also due to court rulings in favor of inmate care you can just go to prison / jail to get one as well.

      http://www.cbsnews.com/news/pr... [cbsnews.com]

      Boy, is that ever the exception that proves the rule. In order to get a heart transplant somebody had to sue the California prison system for him.

      If they didn't want to pay for it, they could have released him on parole. He was sentenced for burglary and robbery. A patient with heart failure isn't going to be able to commit any more burglaries and robberies. He'll be lucky if he can walk around the block.

      Despite this unusual example, prisoners have some of the worst health care in the country.

      I read a serie

  • uh-huh (Score:5, Insightful)

    by Anonymous Coward on Tuesday August 19, 2014 @10:22AM (#47703037)

    Are there documented cases where the uninsured poor have bought blackmarket medical records to get healthcare? This seem preposterous.

    • Re:uh-huh (Score:4, Interesting)

      by Anonymous Coward on Tuesday August 19, 2014 @10:55AM (#47703345)

      This seem preposterous.

      As a person in the medical billing field, I've regularly seen faked insurance cards, but they're easy to weed out thanks to electronic eligibility verification. Given that people will walk right up to the counter with their "Homana" insurance card printed on cheap paper, I can absolutely believe that we've treated people who claim to be Jane Doe, have an insurance card with Jane Doe's name, group and policy # on it, and know Jane Doe's DOB (sufficient information to pass eligibility verification). The only way the insurance company would figure it out is if the real Jane Doe was being seen by a doctor somewhere else that day, or if Jane Doe actually read any of the paperwork she gets past the line "This is not a bill".

    • by nbauman (624611)

      The idea that somebody would get a million-dollar heart transplant with a stolen SSN number and DOB seems especially preposterous. The surgeons would have to go over the previous medical history and records in great detail.

      The guy they quoted was CIO of Beth Israel Deaconess hospital. Either I'm awfully stupid, or he got it wrong.

  • and more likely some hacker group wanting to sell SS# and CC# on the black market.

    That's my opinion.

    • I'd agree with you. Using a person's name, address, social security number, and date of birth (all items included in the hacking), you can steal someone's identity and open lines of credit in their name. Then you run up a big tab, buying electronics and the like, and let the person whose identity you stole deal with the bill. This happened to me awhile back, except I was lucky that the thieves paid for rush delivery of the credit card before changing the address from mine to theirs. The card arrived at

      • by SydShamino (547793) on Tuesday August 19, 2014 @11:12AM (#47703495)

        I'm amazed at how skillfully the finance and corporate community has ingrained "identity theft" into consumer's minds. (And yes, I'm using "consumer" instead of "citizen" on purpose.)

        If someone uses a fake credit card to buy items from a store, they have defrauded the store and the credit card company. It should be irrelevant whether the name on that card is fake, or belongs to some other uninvolved third party.

        And yet, the industry has managed to redirect the mindset and conversation to shift much of the blame onto that uninvolved third party, making them feel like they are the ones violated by this process, and leaving them with the mess to clean up while those defrauded only write off their losses after the third party goes through hoops to "prove" their own innocence. Meanwhile, there's rarely effort to go after the actual criminal at all.

        I understand the reasons why there is a credit market, but I reject the notion that what was once called fraud, perpetrated against a business that is responsible for their losses, is now theft against an unrelated third party that is guilty until proven innocent by the corporate megaliths that run the financial world.

        • by Jason Levine (196982) on Tuesday August 19, 2014 @01:37PM (#47704805)

          I agree that it is fraud and that it's ridiculous that the result of Identity theft is up to the affected person to prove/clean up. I don't think that the name "Identity theft" puts the blame on the victim, though, any more than "car theft" puts the blame on the owner of the stolen car. (Before someone complains "identity theft isn't theft because you still have your identity", imagine if someone kept "borrowing" your car while you slept but returned it every morning with more scratches and dings. You'd still have use of it when you wanted it, but the value of the car would drop quickly and it would be up to you to pay the repair costs. This is what identity thieves do to your credit.)

          Sadly, as was my experience during my identity theft, the companies just don't care. The credit card companies see the fraud as something to write off as a cost of doing business and then they move on. Capital One actively blocked both me and the police from investigating. They told me "we can't give you the address on the card with your name on it because if you go and kill the person, we'd be liable." They would just ignore when the police called. (Calls routed to a voicemail box that was never answered.) The credit agencies are even worse. They see your credit file as a profit engine. New lines of credit on your credit file help drive their profits. Anything that blocks this is bad for business. So protecting against identity theft is bad for business. As far as the fraud goes? Well, that's the little people's concern, not theirs. (I was lucky that I caught it when I did or I'd have been fixing the problem for a long, long time.)

          • >> I don't think that the name "Identity theft" puts the blame on the victim, though, any more than "car theft" puts the blame on the owner of the stolen car.

            I think there is a distinction, though, because in the case of "car theft", you rarely have to prove that it was not you using the car. Imagine if every time a car was stolen, the owner never noticed until it was used in a robbery (or driven through a red light camera), and you were assumed guilty until you proved it was not you driving. That

    • 1) That is a hypothesis, not an opinion
      2) The summary states "...the data, which didn't include credit card information...", which contradicts half of your hypothesis.

  • by ColdWetDog (752185) on Tuesday August 19, 2014 @10:30AM (#47703103) Homepage

    The thesis is that you can waltz into a doctor's office AND a hospital with faked records and get the treatment needed. Basically the important bit is the insurance info - what has happened to "you" is less important than what you want to eventually happen to you (in the example given, a heart transplant).

    I kinda doubt this, at least in a general sense. First off, you can show all the insurance cards and 'insurance info' to the medical provider all you want. The provider is going to query the insurance company before doing anything expensive. Fine, you say, call them all you want, the 'patient' is insured (it's just not the right patient). Now comes the hard part. The minute that the insurance company starts getting claims from both Peoria and Trenton, NJ flags are going to go up. Other old records would be sought (for something big like a transplant or joint replacement) which would likely not match.

    Anything remotely resembling a heart transplant is going to fall apart unless both the real and fake patient have nearly identical physiques, ages and problems. More routine issues could go undetected for a while but persistent discrepancies would show up and as soon as the insurance company flagged the claim as problematic, big ticket items would be placed on hold until things go cleared up. When I worked in an early Medicaid HMO in the 1980's we had some problems with folks 'sharing' the Medicaid ID card (no picture, just a printout basically). It was pretty obvious when the patient's weight varied 30 pounds every other week. We soon insisted on photo ID.

    And, in fact, the feds also insist on photo ID these days. Yes, if you're bleeding out we don't ask for it up front but as soon as your blood pressure normalizes we're poking around to figure out just who you are.

    So it's possible that that full on medical records might be of value, but it's going to be much harder to monetize than a credit card number and likely would be of limited use. That doesn't mean that the information shouldn't be sealed up, of course. I'm just not sure how big a deal this is. And, in the case of the Community breach, they apparently did not get that information anyway.

    • Yes, the summary's idea that one could get a heart transplant with faked records is baloney. But there are a lot of simpler health care interactions which are easier to get with faked records, such as basic prescriptions. And it's not much harder to monetize, you do it the same way you do credit cards. Those marketplaces are well established for both CC info and health info, in many cases they are the same place.
      • by danlip (737336)

        You may be right with prescriptions. And the people using the fake medical identity would not be getting the prescriptions for themselves but for resale on the black market, and would probably be a career criminal. If they are local (relative to the real person) and they go to the same pharmacy (which would already have the account info in their computer) maybe they wouldn't be asked for ID or flagged as fraudulent. Although it's still a little hard to believe, because the drugs that are valuable on the bla

      • by tlhIngan (30335)

        Yes, the summary's idea that one could get a heart transplant with faked records is baloney. But there are a lot of simpler health care interactions which are easier to get with faked records, such as basic prescriptions. And it's not much harder to monetize, you do it the same way you do credit cards. Those marketplaces are well established for both CC info and health info, in many cases they are the same place.

        It only works for so long - insurance has dealt with this fraud for ages now too - they get curi

      • Yes, the summary's idea that one could get a heart transplant with faked records is baloney.

        I couldn't make sense of the summary, at first. If my medical condition is bad enough that a transplant is needed, then why should I need someone else's medical records? My own would do.

        On the other hand, I suppose someone's glaucoma could get me medicinal marijuana...

        • "On the other hand, I suppose someone's glaucoma could get me medicinal marijuana..."

          There are doctors who specialize in the medical cards. All you have to 'prove' is that you have any chronic pain (or basically, any condition) at all. All you do is take in a copy of your medical records and a 'C' note and you're in. Here in Spokane they open their doors once a month for renewals and new issues. There are few doctors in the issuing system, and they generally work a few days in each town.

          And medical weed is
    • You're right about he insurance, but I can't help but wonder if the reasons the data is valuable are far more mundane: in order to target specific product and services for sale. If you know a patient has a specific condition, you can target them with ads for specific therapies.

      • The manufacturers can already get that info, as well as pharmaceutical manufacturers. No need to be all covert about it. They made sure of that when they wrote HIPAA.

    • by Technician (215283) on Tuesday August 19, 2014 @10:53AM (#47703331)

      Some hospitals are taking photos of patients with higher cost proceedures as early as 6 years ago. My photo is in my medical records. A stolen ID would be spotted by any staff reviewing my medical history.

      • by Jason Levine (196982) on Tuesday August 19, 2014 @11:01AM (#47703409)

        Maybe, but maybe not. I know someone whose identity was stolen and used by a criminal who was arrested. Despite the fact that the guy looks NOTHING like the criminal in question (different height, weight, skin color, etc), he found himself fired from his job for having a criminal record and harassed by police officers who just assumed he was the criminal. It took him years to get anyone to even listen to him and even then it took years to fix the problem as one fixed system would get "re-infected" as the bad data flowed back in from other systems.

      • All the medical service providers I use now require I show photo ID which they then scan.

        This theft has no particular utility when it comes to stealing medical services.

        • All the medical service providers I use now require I show photo ID which they then scan.

          This theft has no particular utility when it comes to stealing medical services.

          Unfortunately an aceptable ID such as a drivers license is easy to fake, especially since the admittance clerk is just looking for something to scan and not a cop trained to spot fakes.

      • Some hospitals are taking photos of patients with higher cost proceedures as early as 6 years ago. My photo is in my medical records. A stolen ID would be spotted by any staff reviewing my medical history.

        Presumably not if the imposter went somewhere in the country where you've never been.

  • If I am one of the 50 million Americans who are uninsured ... and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details

    Something tells me it would be a little trickier than that given all that is involved in that million-dollar heart transplant. Not to mention all the local news coverage, the calls to the insurance company prior to surgery given the high cost of the surgery, getting on the waiting list, etc, etc. Not to say that it's
  • by Iamthecheese (1264298) on Tuesday August 19, 2014 @10:34AM (#47703149)
    Medical records are insecure... so it's time to migrate to a system like the UK where they contain comprehensive information about each person? Am I actually reading this?

    Until patient confidentiality is enshrined into laws with real teeth and my insurance company, employer, or local black market guru can't get their hands on them I think I'll pass.
    • Re:bass akwards (Score:4, Informative)

      by Richard_at_work (517087) <richardprice.gmail@com> on Tuesday August 19, 2014 @11:08AM (#47703453)

      Moving to the UK's system means no insurance company, and your employer et al do not have access to your medical records. In-fact, most doctors do not have access to your medical records - they are only now bringing in a system where your medical records are shared on an on-demand basis with other hospitals and surgeries. Walk into an A&E department and they won't have your medical records.

    • Medical records are insecure... so it's time to migrate to a system like the UK where they contain comprehensive information about each person? Am I actually reading this?

      Until patient confidentiality is enshrined into laws with real teeth and my insurance company, employer, or local black market guru can't get their hands on them I think I'll pass.

      So instead your info is leaked one way or the other anyway and you have what, exactly, as a benefit that you would lose going to a single payer system?

    • by jon3k (691256)

      Until patient confidentiality is enshrined into laws

      Huh? [wikipedia.org]

  • No, it's the people with diabetes, or cancer. You steel a record that is as close as possible to your own, and you use it. God help the real patient, who has to worry about doctors looking at the thieves' medical results.
    • Getting a record that is close to your own would be of no benefit. If you need a heart transplant, you get the records of a patient that is worse off than you, so that you can gain a better position on the transplant waiting list.
  • to all the important or otherwise image conscious people who have diseases and conditions they don't want made public.

    • Or companies who check these records for new employees: they will not be hired if they have suffered from any serious diseases.
  • Bulls3#!t (Score:4, Interesting)

    by TRRosen (720617) on Tuesday August 19, 2014 @11:09AM (#47703457)

    This isn't being collected for individuals. That's to much work. It will be used for bulk insurance fraud. A portfolio of bogus patients to be mixed into a doctors insurance billing.

    • The first sensible comment I have seen.

      Obviously using it to get a heart (kidney, corneal, etc) transplant is ridiculous as the waiting period is far too long to maintain the charade. Maybe useful to defraud a pharmacy for some oxycotin (and the good drugs are so tightly watched that this is unlikely, my wife is on morphine, and she is monitored closely by both the doctor and pharmacy)

      Plus a poor uninsured can get medical treatment just by walking into a hospital, they won't get transplants, but just about
  • I don't think the data is private primarily to prevent fraud. My first guess was medical tourism. Overseas drug prescriptions, &c. &c.
  • So it's not for the name, address, date of birth, social security number etc. that can be used for any lucrative form of identity theft? That's a relief!
  • by tsqr (808554)

    If I am one of the 50 million Americans who are uninsured ... and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details.

    It would be less painful to just kill yourself than to receive an organ transplant based on someone else's medical record and then wait for rejection to set in.

  • They were looking for ancient Western secret to short life.

  • The reference claims medical identity theft is the most common type [kaiserhealthnews.org] of identity theft. but I dont beleive because there are relatively few cases in news about it compared to fake credit card and account withdrawals. It might be source of the most general identity thefts, due the looseness of medical record keeping.

Any given program, when running, is obsolete.

Working...