Thieves demanded money in exchange for access to the files.
While identity theft is the primary concern when the security of medical records is compromised, a disturbing new trend is emerging: hackers holding the data for ransom.
A recent case involved the Surgeons of Lake County, a medical practice in Libertyville, Ill., where hackers were able to access electronic medical records and emails, Bloomberg reported today in its Tech Blog, citing an initial report by the privacy blog Dissent Doe. The hackers encrypted the records and demanded the practice pay money for a password to access the files, Bloomberg reported.
The practice declined to pay, shut down the server and notified authorities, according to Bloomberg. It was unclear from the report whether the practice was eventually able to access its EHR records, or if so, how.
Bloomberg blogger Jordan Robinson calls the case “an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.”
In 2009 a hacker demanded $10 million from the state of Virginia after he or she claimed to have stolen and encrypted personal and prescription drugs for 8.3 million patients from the Virginia Prescription Monitoring Program, according to a report in Healthcare IT News. The ransom note was posted at the time by Wikileaks.
In 2008 a hacker demanded money from the prescription-drug benefits manager Express Scripts after demonstrating it had personal information on a few dozen members, according to Bloomberg. The company refused to pay. And four years earlier several California hospitals were blackmailed after outsourcing their medical transcriptions overseas, Robinson writes.
“This is a warning bell,” Santa Clara University law professor Dorothy Glancy told Robinson. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”