Recently, the news has listed numerous egregious data thefts from large insurance companies as well as concerns of data security from the infamous Healthcare.gov site. Recently, close to 840,000 individuals may have had their personal information compromised including some “clinical” information through the theft of two company laptops owned by a large medical insurance company.
Although much has been made about loss of financial data, I haven’t seen much emphasis on the ways in which a nefarious actor could leverage the acquisition of someone’s health information.
In general, most people seem to have a strong aversion to sharing their medical records publically. Numerous reasons come to mind which may drive this behavior. Concerns that it could possibly affect insurance eligibility, ability to maintain or gain employment, and/or it could be that they do not wish to reveal possible “embarrassing” physical or psychological medical conditions, as well as treatments.
Medical data is rife with clues which reveal other details about one’s personal life such as eating, fitness and lifestyle habits and perhaps some genetic resident diseases. This provides a somewhat unique attribute for those who are interested in causing directed harm against a fellow person.
Medical information loss can be monetized or leveraged in numerous nefarious ways such as the following:
- The ability to create a false ‘avatar’ to gain access to medical insurance or payments
- The ability to sell information on ones’ medical record – – this can be especially valuable if the person is in the public eye or otherwise in a public ‘trust’ position (e.g. Judge, high ranking official, celebrity, etc.)
- The ability to leverage the information against a person – – e.g. psychological reviews if revealed might jeopardize a person’s very employment.
Organizations have a fiduciary responsibility to keep sensitive information secure. In the end, a loss of medical personal information can be more devastating than the loss of personal financial information or prove to be higher than the value of the physical object it resides on.
Carl is an IT security expert and responsible for Radware’s global security practice. With over a decade of experience, he began his career working at the Pentagon evaluating computer security events affecting daily Air Force operations. Carl also managed critical operational intelligence for computer network attack programs to aid the National Security Council and Secretary of the Air Force with policy and budgetary defense. Carl writes about network security strategy, trends, and implementation.