It started out as a data breach like many others. The hackers penetrated the computer network of a small medical practice in a wealthy suburb of northern Illinois, The Surgeons of Lake County, and broke into a server containing email and electronic medical records. But instead of sneaking out undetected and selling the stolen data on the black market, they took a novel tack -- encrypting the data and posting a message demanding a ransom payment in exchange for the password.
The move from fraud to extortion in cases of data compromise is frightening for several reasons. First, it suggests that the criminals knew exactly what they were doing, and that they deliberately targeted digital medical records as part of a well articulated strategy -- an approach that we can expect to see employed more frequently as the digitization of records and broadening of access become the norm in the health care industry. Secondly, this M.O. implies a tremendous confidence in the criminals' power to disrupt -- and a calculation that the illicit ROI from blackmail would exceed the price that the data would command on the black market.
[Related article: 7 Things ID Thieves Could Fund With Your Stolen Tax Refunds]
All of this is ultimately made possible by the digitization of medical records and the placement of those records on networks -- often unprotected ones. It gets you thinking...
Would you post your medical records to your Facebook profile? Share a CAT scan via Instagram? Discuss your prescription history with your network on LinkedIn? Not likely. Even if every single one of your Facebook "friends" really is a friend, the idea of such personal information falling into the hands of strangers is damn hard to stomach -- especially if those strangers happen to be criminals looking to make a quick killing and you are the roadkill.
But what if the server where that information is living belongs, not to Facebook or LinkedIn, but to a health information exchange -- a computer network designed to put your medical information and that of millions of other patients within easy reach of medical professionals throughout our nation's health care network?
[Related article: How to Dispute Bad Info on Your Credit Report]
The truth is that it may be there already, whether you know it or not. There are at least 255 health information exchanges across the United States so far, including 17 each in New York and Texas, 12 in Florida, and 10 each in California and Michigan, and that number is increasing at a steady clip. Their growth has been spurred partly by federal grants awarded to incentivize medical professionals to actively participate and promote the ongoing makeover of the health care system, and partly by the obvious efficiencies inherent in such a centralized and frictionless approach.
In a perfect world, this would not be a problem -- and could be a solution. There are tremendous benefits to be derived from having a patient's medical data available to practitioners throughout the health care network -- from GPs and pharmacists to surgeons, radiologists, lab technicians, and emergency response teams. To have current, accurate, and reliable data about a patient's medical history just a click away -- whether the issue is urgent or routine -- will save money, time, and, of greatest import, lives.