Hackers Steal, Encrypt Health Records and Hold Data for Ransom

by Jordan Robertson, Bloomberg Tech Blog, August 10, 2012

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, located in the affluent northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored.

But unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

The doctors turned the server off and notified the authorities, refusing to pay.

“This story is so ironic — most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors — in fact, nobody — can access these records.”

The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. But the incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.

Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, he wrote in an e-mail….

Medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.

Earlier cases, though, underscore the value to a criminal of medical data.

One case involved Express Scripts, the large prescription-drug benefits manager that received a threat in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including Social Security numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually notified 700,000 customers that their information could have been exposed.

And in 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.

As I have reported earlier, the spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing problem. Security and privacy risks are also emerging with the creation of “health information exchanges,” which are vast databases that states are setting up to handle all the electronic medical records.

It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.

“Safeguarding every patient’s personal information is a top priority at The Surgeons of Lake County,” Dr. Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”

For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.

“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”