"Attention, Virginia!" the ransom note begins. "I have your sh*t! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( "
"For $10 million, I will gladly send along the password. You have 7 days to decide."
Someone says they've stolen 8.3 million patient records, and now the FBI is on the case. However strange this crime may sound, it was a predictable event. Stranger and more severe crimes are coming, if they're not here already. I've been tracking health data breaches for a while, and it's one of six scenarios I sketched out (but chose not to publish). It's important now to ensure that these concerns are given a high enough priority - and proper funding - in future health IT initiatives.
Whatever your position on health reform, nobody wants health data to be the topic of the next private eye novel or film noir. Philip Marlowe wouldn't be happy working at HHS.
Since they're now playing out in public, I'll briefly mention those other five scenarios. They are:
1. Individuals are blackmailed using information obtained from stolen medical records.
2. "Medical identity theft" - using stolen information to fraudulently obtain medical care.
3. Stolen information is used to submit fraudulent bills to Medicare, Medicaid, and insurance.
4. Electronic funds transfers are intercepted using stolen data.
5. Medical data is used to obtain controlled substances and sell pharmaceuticals online.
There are no doubt other ideas out there, and inventive minds will find them. Authorities say the Virginia hackers breached the system's security, but it's less clear whether they can do what they've threatened. Either way, the language in their ransom threat seems to fit the hacker profile of young American kids with time on their hands. We don't know whether that's real or a ruse, but it raises a couple of disturbing questions:
- What happens when organized crime gets into the stolen health data business?
- Who says they haven't already?
Crime syndicates could become brokerages for acquiring and selling health information, which can be traded online.
It would be a mistake to use the threat of these crimes to oppose health IT initiatives, however. These crimes will continue, no matter what, because the exchange of data is embedded in every aspect of our insurance-based health system. Doing nothing will not protect us. It makes more sense to use this historical moment to take bold preventive steps.
If stolen health data fits the pattern of other cybercrimes, publicly reported breaches don't reflect the full scope of the problem. So what should the Administration and private industry do next?
1. Acknowledge the problem. Don't lose control of the debate by letting health reform opponents raise the topic.
2. Provide funding for security software and solutions.
3. Clarify the security levels and procedures expected of all health IT users. (You'd be surprised how many of these breaches occurred because someone left a laptop in an airport or a computer disk on their front seat.)
What should private industry do? Those industries that will benefit from reform and IT initiatives could establish a reward - something like the "X Prize" - for innovative security solutions in healthcare.
Organized crime -- or even disorganized crime -- has no place in the world of healthcare.
RJ Eskow blogs when he can at: