Why Do Hackers Want Your Health Data?

Recent security breaches at health insurance companies affect millions of Americans: here’s why that’s bad news.

Yesterday, major health insurance providers Lifetime Healthcare Companies and its subsidiary BlueCross BlueShield announced that they had been hacked, affecting a total of 10.5 million patients. These aren’t the first healthcare companies to be hacked this year, and they certainly won’t be the last; though data breaches have become an unfortunate reality for many companies, health information is especially at risk.

Healthcare data is the cash cow of the hacker world. A hacker will get $10 on the black market for each individual healthcare profile, 10 or 20 times the amount they would receive for credit card information, according to a report from Reuters published last year.

Learning a patient’s medications and diagnoses means that a hacker can order expensive drugs or equipment and resell them, or file made-up claims with insurance companies and get money in return. They can even commit medical identity theft to seek free medical care for themselves. And unlike credit card companies, healthcare providers don’t usually vigilantly monitor this activity, so hackers can continue to reap benefits from the same data for years.

As a result, healthcare companies and hospitals find themselves under constant digital assault, and it’s costing them a total of $6 billion per year, Bloomberg reports. The companies find themselves ill prepared to ward off these attacks—81 percent of healthcare organizations have been subject to attacks in the past two years, according to a survey published last month by tax audit company KPMG. Earlier this year, healthcare providers were required to switch over to electronic medical records, making more patients vulnerable to attacks than ever.

Hospitals and insurance companies are slowly beefing up their digital security, aided by organizations like the FBI, but the process is slow. In response to this most recent attack, Christopher Booth, the CEO of Lifetime Healthcare (the parent company of Excellus BlueCross BlueShield) says that his organization has, “already taken aggressive steps to remediate our IT system of issues raised by this cyberattack,” by hiring a digital security firm to evaluate its current setup, according to a press release. Apparently, preventing digital attack can only go so far—healthcare providers seem to only be increasing their security measures once a breach has already happened.

Both BlueCross BlueShield and Lifetime Healthcare Companies have begun notifying patients of the security breach and will offer free identity theft protection and credit monitoring services to those affected.