For many years healthcare institutions remain one of the most attractive sources of personal information for criminals. Medical cards are valuable on the black market, as it can easily be converted into cash. In addition to the names, surnames and addresses of patients, health facilities accumulate social security numbers, IDs, payment information, and, of course, the results of various diagnostics and analysis.
Hackers continued to go after patients’ personal information around the world. In the summer of 2017, several mass incidents were reported. The latest big case occurred in the UK, where cybercriminals stole 1.2 million records of the National Health Service (NHS) database. In mid-July, hackers managed to steal data from more than 500,000 patients from Belgium. In mid-August, the Women’s Health Care Group personal data breach was reported which resulted in a leak of 300,000 personal data records.
In addition to the activity of hacker groups, the actions of internal violators like former employees and various contractors remain a big problem for healthcare industry around the world. Thus, an employee of the insurance company Bupa in June posted about 1 million medical records on dark web for sale.
The number of data leaks through paper documents is objectively becoming less every year. However, it's too early to write them off. The leaks continue to occur due to carelessness and negligence of medical staff. Recently, in Canada, there was an amazingly negligent use of confidential information: personal data of 60 people were printed out on the back of the recipe for one of the patients.
There are two main factors in the regular leakage of information from medical institutions. First, compared to the finance industry or the public sector, they do not have a well-developed information security infrastructure. In many countries, the level of protection of medical information is not keeping up with the development of IT in clinics and hospitals yet. Secondly, information security is still not top priority for many healthcare institutions and is often financed by the residual principle.
A number of mass leaks of information that occurred in 2015-2016 forced many medical institutions and their partners to strengthen the information security strategy. However, not all companies can quickly close security gaps, as evidenced by the sad experience of Anthem. In 2015, due to a database hack more than 78 million personal data records leaked, and in 2017 they experienced a new data breach of its customers' data.