John Kuhn got a big surprise eight months after he left the hospital. Somehow, the afternoon he spent on an X-ray table resulted in a $20,000 bill for an invasive surgery and a few days’ recovery time.

Kuhn never underwent that operation, though, and left the Michigan hospital on the same day he entered. He would ultimately go on to discover that the hospital had lost a laptop containing his medical data, making it possible for a criminal who fit Kuhn’s description to get treatment and stay in the facility under his name. It would ultimately take a year of dealing with the hospital's finance department and his creditors for Kuhn to get fed up and travel down to the hospital, which he declined to identify, and let doctors examine his stomach to prove he didn’t have the surgery.

“I like to think I guard my data well and keep watch on it because this is the kind of work I do,” said Kuhn, a researcher at IBM X-Force’s cybersecurity team. “I still don’t know what the surgery actually was because they were protecting the criminal’s patient information. But I went down there and physically had to lift my shirt to show that I didn’t have any major scars.”

Now, eight years after Kuhn resolved his issue, roughly one in every three Americans is vulnerable to the same fate. Approximately 100 million out of 318.9 million Americans were victimized by a healthcare data breach in 2015. The International Data Corp. made headlines in December when it predicted that one in three Americans’ health information would be comprised in 2016. Last year was no better.

At least 111 million individuals’ data was compromised due to hacking or information technology problems in 2015, according to a report released Wednesday by cloud security company Bitglass, based on numbers made available by the U.S. Department of Health and Human Services. That comes after a December IBM report that found a 1,166 percent increase in reported healthcare breaches, resulting in the compromise of “nearly” 100 million records.

Continue Reading Below

The exact figure matters less than what both reports indicate: Healthcare data has become far more valuable than stolen credit and retail information.

Just 5.7 million compromised retail records were reported in 2015, according to the IBM report. That’s a 92 percent decrease from the previous year. One reason for that is the introduction of chip-and-pin technology on plastic cards, and because it’s so easy for credit card companies to issue new numbers to victimized customers.

“It shows to the healthcare industry that retail and financial services have done a good job of devaluing data on the black market,” said Rich Campagna, vice president of products at Bitglass. “The time and effort that goes into monetizing that data takes longer, and that in and of itself is significant … Everyone predicted this but we’re really seeing it happening immediately.”

Smaller retailers still struggle with cybercrime, though the big game hunters who stole millions from Target in 2013 and Home Depot in 2014 appear to have shifted their focus to where the real money is: the medical sector. Instead of just a credit card number and Social Security number, medical records include an individual’s medical history, test results, a list of past addresses, family members and other information that’s hard to change or delete.

“I’ve gotten at least two breach notifications in the past year,” Campagna said. “It’s only a matter of time before it gets exploited. And medical procedure fraud is certainly happening but nobody’s tracking it, so folks are largely on their own.”

Traders who buy and sell stolen user information use the term “Fullz” to describe a hacking victim’s full credentials as packaged data. Prices typically float around $50, though if medical data is included the price might rise to $300.

“The underground markets drive that kind of mimicked pattern behavior,” Kuhn said. “One guy steals a bunch of medical records and the other guys realize he’s getting a lot of money for them, so they go out and get medical records themselves. It just escalates itself because of financial gain.”

The problem isn’t just that medical information is so valuable. It’s that the healthcare industry has never had sufficient motive to bolster its security measures, even after the Health Insurance Portability and Accountability Act (or HIPAA) was enacted in 1996 and revised multiple times since. HIPAA requires covered entities to use some form of encryption when patient health information flows over open networks, though encryption is optional on closed networks.

“The key here is that there’s no culture of privacy in the healthcare industry, which is very strange since this is our most sensitive information,” said Dr. Deborah Peel, a physician and the founder of Patient Privacy Rights, which seeks to “restore patient control over personal health information.”  

“The main reason is that for the first 10 years or so since HIPAA passed the Department of Health and Human Services investigated almost no one for security breaches,” Peel said. “The law said security was quote-unquote ‘addressable’ but what that means to us in the industry is that we don’t address anything until the regulators tell us exactly what security method to use.”

The situation may get worse before it improves. The number of Internet-connected devices is projected to rise from 13.4 billion in 2015 to 38.5 billion in 2020. Many of those products — whether it’s a pacemaker or a device that records steps — are related to consumer health. The real problem lies just a few years in the future, when hospitals increase their reliance on automated technology without baking in security from the beginning.

“There are devices like an insulin pump, or the hospital systems that control IV [intravenous] flows, that control lots of information at the patient level,” said V. Miller Newton, CEO of enterprise encryption and compression company PKWare. “The pharmaceutical companies get it, the manufacturers get it, or you can look at it in the cloud from home, but none of it is encrypted. If you hack into one of those IV machines you’ve actually now accessed the hospital’s software through a backdoor, and you’ve got access to patient information on the entire hospital.”