Hackers are stealing millions of medical records – and selling them on the dark web
As health care providers store patients' medical records digitally, some have left their files vulnerable to being exposed – and even sold on the black market, or the internet's dark web. One victim of medical identity theft showed us just how much damage that could do.
"It was quite a tumultuous decade of a mess," Brandon Reagin told CBS News correspondent Anna Werner.
The "mess" started in 2004 for Reagin when, as a young Marine, he lost his wallet. Months later, his mother called, saying, "Local authorities were here looking for you today, you know, regarding this incident," he recounted. "A car theft. Multiple car thefts at the time."
Someone posing as Reagin was allegedly stealing cars and getting multiple medical procedures. Then the hospitals came after Reagin to pay. The bills added up to nearly $20,000.
Reagin said he tried to get these problems off his credit report.
"Did that work?" Werner asked.
"It worked until the next billing cycle," Reagin said. It was like a never-ending battle for the Marine.
But Gary Cantrell sees it all the time, as head of investigations at the Department of Health and Human Services' office of inspector general.
"Every one of our investigations involves the use of medical data to commit this fraud," Cantrell said.
He warned thieves want people's medical records. "It's just a treasure trove of all this information about you," Cantrell said.
Last year alone, he said the agency handled nearly 400 reports of medical data breaches. Some of that information winds up for sale on the internet's dark web.
"Sometimes they're compromising this data and we don't know how it's being used, when or if it will be used to compromise those individuals' identities," Cantrell said.
"So it's kind of sitting out there like a time bomb?" Werner asked.
"That's right," Cantrell said.
"Potentially," Werner said.
"That's right," he responded.
So how easy is it for criminals to get hold of these patient files? We asked cybersecurity expert Gary Miliefsky.
"Took me a few seconds," Miliefsky said after searching for records on the dark web.
"Yeah, literally like three seconds," Werner said.
One seller offered children's health records for sale: "USA KIDS FULLZ" from a pediatrician from 2000 to 2014. Another posted an entire hospital's worth of files from a health care database in Georgia: 397,000 patient records.
How are they getting the records? One "product description" said "breached a very large hospital recently."
"So they're basically saying, somebody hacked into this hospital, and here's the records if you want to buy them for 26 grand?" Werner asked.
"Exactly, they want to monetize these records quickly, and they're actually offering them at a discount compared to other prices I've seen on the dark web," Miliefsky said.
Social Security numbers sell for $1, and credit card info goes for up to $110. But Experian reports full medical records can command up to $1,000 because they're an identity thief's dream: date of birth, place of birth, credit card details, Social Security number, address, and emails.
"So this is really all they need, if they buy this. And then they can become?" Werner asked.
"You," Miliefsky said.
Hackers have stolen millions of records. A breach at Anthem Insurance affected 78 million people, and a hack at UCLA Health exposed more than four million patient records. Despite that, a 2017 survey of health care providers found just 16 percent reported having a fully functional cybersecurity program.
According to Protenus, a firm that helps health care companies protect data, there were 222 hacking incidents last year – up nearly 25 percent from 2017. In all, more than 11 million patient records were affected.
"One of our most important missions is to mitigate that vulnerability as quickly as possible. And that means communicating with those individuals who oversee the systems," Cantrell said.
As for Reagin? The crook who stole his identity served time in prison. But 15 years later, Reagin said he still hasn't been able to undo all of the damage.
"That hospital may still have his information, his blood type under my name at that hospital," Reagin said.
"That's kind of worrisome," Werner said.
"It is. It's a little weird to think," he said.
Because of situations like that, experts we spoke with said it's a good idea to request a copy of your medical files now to clear up any confusion if your records are altered later due to medical identity theft.