Like a lot of Americans, Reagan Rowland of Roanoke, Virginia, has her credit score monitored constantly to be sure her name and Social Security number aren't being used by thieves to take out credit cards or apply for loans.
Except Reagan is different. She's 5 years old.
Reagan saw a doctor for a scrape after falling off her bike earlier this year. That was before her insurer, Anthem Inc., announced in February that 80 million past and present customers had been the target of a massive data breach that compromised names, birthdays, medical IDs, Social Security numbers, street addresses and employment information.
She also has a twin brother, whose Social Security number is different by one digit, so his credit score will likely need to be monitored from now on as well.
“It’s the kind of thing you never think is going to happen to you,” said her mother, Johanna Rowland, 30. “I don’t think there’s a lot of incentive for anyone to keep my own or my daughter’s information secure. I’m more worried about her than me… It just seems hopeless.”
The Rowlands' case is just one of millions of examples of how Americans’ health information is being compromised as health records go digital. Medical records are the most likely type of data to be breached -- more likely than government, finance, education, retail or other industries' data, according to an analysis of 4,470 breaches since 2005 by the International Business Times.
Indeed, medical data is twice as likely to be hacked as financial data.
The data, collected by the nonprofit Privacy Rights Clearinghouse, shows that the healthcare industry saw a record-high 18 major breaches in 2014 -- the most recent year for which data is available -- up from just three in 2006. It also showed that the biggest threat isn't hackers but mishandling by doctors, insurers, corporations or other medical personnel.
Medical data is vulnerable both because the healthcare industry is fragmented, unprepared to protect it from threats, and because it has underinvested in security, experts say. The move to electronic health records, widespread technological inefficiency and medical data’s value to hackers has created a perfect storm for the healthcare industry. Children's medical information is particularly valuable because it's a clean slate from which theives can build false identities.
“Healthcare is a treasure trove of data. There’s names, Social Security numbers, some personal history. It’s just full of valuable stuff,” said Craig Lund, CEO of SecureAuth, a security company that works with a number of government agencies and Fortune 500 medical companies.
Records obtained in the Anthem hack are already being used to commit identity theft, according to Lynn Toops, an attorney at Cohen and Malad, an Indianapolis law firm behind a class action suit against the company. Angry customers assumed they weren’t affected by the hack only to request their tax return in April and find out someone had already filed in their name -- and collected a refund. “This is even happening with some 8-month-old children,” she said.
According to the data, breaches at healthcare and medical providers make up a quarter of all data losses, followed by educational institutions (17 percent) and government organizations (16 percent).
Paul Stephens, PRC’s spokesman, said the information is “just the tip of the iceberg,” as many breaches go unreported. The Health Insurance Portability And Accountability Act (HIPAA) requires organizations to notify consumers if certain medical information has been disclosed without authorization. While some public officials have proposed standard reporting requirements for other industries, national cybersecurity legislation has not yet made it into law, leaving a patchwork of different state statutes to fill the void. Still, Stephens said the group’s database is indicative of current trends, as it contains information on virtually every major, publicly known breach that has occurred in the past decade (culled from media reports and state attorney general offices).
Breaches at financial services companies and major retailers have actually declined since 2012, when 72 major breaches occurred in financial services and 107 at major retailers. Some of that is due to financial institutions investing in elite cybersecurity experts and advanced detection techniques that monitor user behavior in real time.
Government and healthcare have been slower to adapt, resulting in the potential breach of 29,932,326 records since 2012. (Thousands, sometimes millions, of records are compromised in each data breach.) “It’s an economic thing. The best and brightest minds know they’ll make more money protecting the financial sector,” said Lund.
Along with Social Security numbers and phone numbers, medical records also contain insurance identification numbers, medication regimes and even someone’s blood type. There have been reports of fraudsters impersonating their victims at emergency rooms for free care, or trying to obtain pharmaceutical drugs using someone else’s name.
A May 2015 study from the Ponemon Institute pegged the average personal cost of recovering a stolen identity at $13,453. And only 10 percent of the respondents said they resolved the dilemma in a “completely satisfactory” manner.
Medical breaches have risen intermittently since 2005. That year, 411,825 records were reported compromised in 11 breaches at medical institutions. By 2013 that number had grown to 5,196,257 records in 263 reported breaches (5,318,566 records were reported lost in 89 breaches in 2014).
Among the more than 1,100 medical breaches, over 17 percent have been deliberately perpetrated by insiders -- by far the highest percentage of any industry.
“This is the year we expect more breaches in the healthcare space, and healthcare is aware of that,” said Anup Ghosh, founder and CEO of Invincea, a cybersecurity company with more than 2 million users. “Most healthcare organizations understand the risk of losing medical records because, on the black market, medical records are more expensive than credit card data. I can create a whole identity around you with your [medical records and] bank accounts, credit cards and tax returns, and you’d never know it.”
Across all kinds of breaches, there have been 539 data thefts attributed to insiders. They appear, however, to have peaked in 2010 and have declined in the last few years.
By contrast, hacks from outsiders have risen precipitously. In 2005, just 48 were recorded. By 2012, that had more than quadrupled to 227, and last year, there were still 168 breaches through hacking. A full 45 percent of all hacks happened at corporations, as compared to 10 percent at government and military organizations.
There were 15 reported breaches at military and government institutions in 2005, resulting in 698,196 lost records. The number exceeded 100 twice (in 2006 and 2010) before falling again to 86 in 2012 (16,215,855 records reported compromised) and 53 in 2013 (461,263 records).
The category that comes closest to the healthcare industry’s 1,193 breaches is educational institutions, with 747. But according to figures logged by Privacy Rights Clearinghouse, breaches in education (including universities) have plummeted of late, falling from 107 in 2007 (791,938 reported records) to 31 (1,063,890) in 2014.
The public sector, meanwhile, remains at risk. Overall, government and military institutions are the third leading site of breaches -- many of them high-profile. In recent years, breaches have occurred at the White House, the State Department and the Office of Personnel Management (which involved information on at least 22 million government workers).
Federal agencies are now scrambling to update their infrastructure. Paul Kurtz, who led the cybersecurity transition from the Bush administration to the Obama administration in 2009, said the government has trouble hiring the best specialists. “When you’re sitting inside the federal government and someone comes along from the private sector and says, ‘I can offer you double your salary and give you stock options,’ it’s hard to say no,” Kurtz said.
Hacks on Home Depot, Target (which fired its CEO afterward), JPMorgan Chase and other corporations that can afford to bankroll massive new cybersecurity departments have made the government’s hiring headache even more problematic. Boards of directors have increased the pressure on CEOs to hire qualified staff, increasingly treating cybersecurity as a risk management issue rather than an IT one. “You have a decentralized cybersecurity architecture across the government and until we can rationalize and streamline that more, I think we’re going to continue to be challenged,” Kurtz said.
The public sector’s record has impacted the intensifying debate over cybersecurity legislation. Currently, Congress is considering bills to encourage corporations to give law enforcement investigators access to cyberthreat data in exchange for protections against privacy lawsuits. But privacy advocates in Congress have cited government data breaches in opposing the measures.
“We’ve seen before that the federal government has a poor track record of safeguarding our information when entrusted with it,” said Colorado Democratic Rep. Jared Polis, during a recent floor debate over a cybersecurity bill. But as the data shows, it’s not just the government that’s having trouble protecting data.
David Sirota and Hanna Sender contributed additional reporting.