Cyber criminals overseas steal U.S. electronic health records

In 2004, when Bush administration officials unveiled a project to provide every American with an electronic health record by 2014, they pledged to put privacy and security first. But the discovery in April of stolen health records containing sensitive medical information about U.S. patients on a computer server in Malaysia controlled by cyber criminals indicates such records so far do not pass the privacy and security test.

Comment on this article in The Forum.Medical records are a "platinum card" for organized crime, which can rake in millions of dollars from false billings, said Pam Dixon, executive director of the World Privacy Forum. Information generated from false claims entered into electronic medical records also can pose life-threatening risks to patients, she added.

Yuval Ben-Itzhak, chief technology officer of Finjan Software Inc., said the company's Malicious Code Research Center discovered last month that a computer server in Malaysia nominally controlled by a Russian registrant contained 1.4 gigabytes of stolen computer files. These included medical files from a health care provider in the eastern United States and 40 major financial institutions around the world.

Ben-Itzhak said Finjan, which develops and sells secure Web gateway software, identified hundreds of medical files on the server and estimated there were probably many more. But Ben-Itzhak said Finjan did not have the resources or time to comb through every file in such a large database.

He said the stolen files included names of care providers, medical history summaries, diagnoses, prescriptions, insurance details and a wealth of personal identifying information, such as Social Security numbers, birthdates and addresses.

The Malaysian server was able to mine this information by installing Trojan horse software on end-user computers, capturing key stroke information, files stored on hard drives and Microsoft Outlook e-mail files. The vulnerability of desktop and laptop computers clinicians use shows that health care organizations have to develop end-to-end security systems that cover user devices as well as central servers, Ben-Itzhak said.

Finjan reported that the Malaysian server hosted a sophisticated command-and-control system that automated attacks. The system included tools to access protected storage areas, an uninstall command for the Trojan horse, a tool bar to track infected computers by location and logs to show the amount of data captured.

Ben-Itzhak noted that criminals could use sensitive medical -- such as an HIV diagnosis -- to blackmail patients.

Dixon said the most likely use of stolen medical records was to commit fraud on a massive scale, by such means as setting up a fake medical clinic to file false claims. Last year, five people pleaded guilty to operating such a clinic to defraud the Medicare program.

Dixon said that until now most cases of medical identity theft have been the work of insiders, such as a 2006 case in which a clerk at a Weston, Fla., clinic downloaded information about 1,100 Medicare patients and sold it to her cousin. The cousin, in turn, submitted $2.8 million in false Medicare claims.

Dixon said the Finjan report is an indication that medical identity theft now has been adopted by "some nasty overseas crime rings," taking the problem to a new and dangerous level. She said these organizations could sit on the stolen medical identities for a year or two, then set up a fake clinic in the United States and start billing for procedures running from $1,000 to $250,000 each for multiple patients.

The impact on patients whose medical identity has been stolen can be deadly, said Dixon, who subtitled her 2006 report on the problem "The Information Crime That Can Kill You." Criminals can put false and potentially deadly information into a patient's medical file. In one case, a Florida woman discovered her blood type had been altered by an imposter.

Dixon said 250,000 to a million people have their medical identities stolen every year in the United States. The increased use of electronic medical records and the fact that overseas criminals have started to steal medical identities will exacerbate the situation, she said.

Ben-Itzhak said that in April, Finjan informed an FBI agent working at the National Cyber-Forensics and Training Alliance in Pittsburgh -- a public-private partnership to share confidential information on cyber incidents -- about the patient data the company discovered on the Malaysian server and provided the agent with log files from the computer.

Finjan also informed the Office of Civil Rights of the Health and Human Services Department, which is charged with insuring the privacy of patient information under the Health Insurance Portability and Accountability Act.

Nextgov asked both the FBI and HHS if they intended to notify patients that their data had been breached, but has yet to receive a reply. Dr. Deborah Peel, founder of Patient Privacy Rights, an Austin, Texas, nonprofit organization focused on ensuring Americans control access to their medical records, said while such notification would certainly be the right path for both the FBI and HHS to follow, neither was required to do so by law, except in cases involving a breach of veterans' medical records.

The fact that the United States has laws requiring notification of improper disclosure of financial information, but none for disclosure of medical data is a privacy and security hole HHS needs to plug if it wants Americans to have confidence in electronic health record systems, Peel said.

She said the Finjan discovery about the Malaysian server was the first case she was aware of that involved an international cyber crime ring. The case, she said, should impel HHS and health care providers to make security of electronic medical records a priority.

Devin McGraw, director of the Health Privacy Project of the Center for Democracy and Technology in Washington, said the kind of health data breach Finjan uncovered could have a chilling effect on the plan to develop electronic health records for every American. The case bolstered the argument for the development of a national notification policy for medical data breaches, McGraw said.

McGraw said she wanted to see the HHS Office of Civil Rights and the Justice Department investigate the medical data theft Finjan discovered. But Ben-Itzhak said such an investigation was frustrated by the global nature of a crime committed in cyberspace by sophisticated operators.

Shortly after Finjan notified the FBI of the existence of the Malaysian server, Ben-Itzhak said the server went idle, a possible indication its operators became aware of FBI probes. Since then, Finjan has discovered three similar servers and is working to determine whether they contain purloined medical data.