Summary:
During the past couple of years, as concerns about our personal health have been top of mind, a rash of breaches targeting the healthcare industry may have compromised the identity health of millions. The risks these breaches create are often misunderstood because of assumptions typically made about how breached data is misused.
The common misconception: when a particular type of personal data is compromised, criminals then use it to commit fraud at the same type of organization from where it was stolen.
This assumption makes sense for certain types of breaches. When there’s a credit card data breach at one merchant, one would assume that criminals stole the data to rip off another merchant somewhere else.
Yet healthcare breaches can create a particularly wide and diverse set of risks to individual identities. Let’s examine the harm a healthcare data breach can do by dissecting a real-world example: UC San Diego Health.
Examining Healthcare Data Breaches
The data breach at UC San Diego Health illustrates how the compromise of a healthcare provider can impact individuals’ lives. In the breach, the personally identifiable information (PII) and health data of UC San Diego Health patients were compromised. Using the login credentials of UC San Diego Health employees, criminals gained entry to the healthcare provider’s systems to access a wealth of PII, including:
- Social Security numbers
- driver’s license information
- payment information
- health information
- basic contact information
This data compromise opens the gate for criminals. Just because healthcare information was stolen, it does not mean that criminals will limit their misuse of the compromised data to healthcare-related fraud and scams.
The breadth of the information stolen has the potential to expose victims to numerous identity threats, such as:
- New credit and deposit accounts opened in a victim’s name as criminals are armed with the core PII elements banks and credit unions use to verify identity during account opening.
- Fraud on existing accounts as personal information is often used to authenticate (or verify) the identity of customers who need access to their accounts by phone or to complete a password reset online.
- Targeted scams impersonating a wide variety of third parties, not just UC San Diego Health (which they could do more easily when armed with a patient’s healthcare history). For example, payment card data can be used by criminals to more effectively impersonate card-issuing banks and credit unions to solicit additional personal information. The data also could be used to convince these patients to unwittingly transfer funds to fraudsters.
Rating the UCSD Health Data Breach Risk
One way to grasp the severity of a healthcare data breach is to measure the possible risk to victims via a rating system and compare that rating to other breaches. Sontiq®, a TransUnion® company, has our BreachIQ™ technology, which is designed to think like a criminal — calculating how successful different types of fraud and scams could be based on the data stolen. For comparison, the retailer Guess experienced a data breach that earned a BreachIQ rating of 6 out of 10, whereas the UC San Diego Health breach is a 10.
In isolation, a breach like UC San Diego Health is alarming not only for the affected patients but also for the rest of us. It shows how vulnerable the sensitive information our healthcare providers hold about us can be.
Unfortunately, the UC San Diego Health breach is not an isolated incident. The Department of Health and Human Services reported that more than 1 million consumers each month had their data compromised in a healthcare breach during 2020. Healthcare providers large and small continue to be targeted for their data. Patient data can be exposed as a byproduct of the ransomware attacks that have become increasingly common.
Most healthcare providers retain patient data similar to that compromised in the UC San Diego Health breach. When they occur, such healthcare data breaches often score at the top of the BreachIQ scale.
Protecting Identity Health
Thankfully, we are not helpless. To be the best advocates for our own identity health, consumers should take control of their data and how it’s used. Understanding when your data has been exposed, the potential risks that exposure creates and the specific steps you need to take to reduce that risk is vital. That knowledge also can help empower you to make better decisions about keeping your identity protected and your digital life healthy.
Healthcare providers can also arm themselves by knowing what steps to take when facing cybersecurity challenges. Learn how IdentityForce can help keep employees’ and patients’ identities secure. We pride ourselves on staying ahead of the evolving risks and are here to provide you with the support you need.