On January 10 the Bangkok Post reported nearly 39 million health records were reportedly stolen from Bangkok Siriraj Hospital and nearby Siriraj Piyamaharajkarun Hospital. The records were being offered for sale on raidforums.com, “an internet database-sharing forum.” The poster, which goes by the “WraithMax,” is offering a sample record and can be contacted through a Telegram app account. According to the poster, the data contains names, addresses, Thai IDs, phone numbers, gender details, dates of birth, and other potentially sensitive information, including medical records of VIP patients.
The thefts are the latest in a string of incidents that began nearly two years ago. Last October the health records of more than 100,000 patients were stolen from eleven other hospitals, a month after 10,000 patients of the state-run Phetchabun Hospital had their records stolen through that hospital’s app.
The day after the Bangkok Post published news of the breach, the Siriraj Hospital denied its database was leaked. However, an internal source investigating the theft told the Bangkok Post the records “may have been old data from somewhere else.” On raid forums, “WraithMax” is offering the data for sale at a negotiable price to a single buyer.
Notable Healthcare Infrastructure Breaches
It’s not a problem unique to Thailand.
In November Canada’s CBC News reported officials confirmed: “personal information of medical patients in Newfoundland and Labrador has been stolen in [a] cyberattack that has wreaked havoc on the provincial healthcare system for over two weeks.” The stolen patient information included names, addresses, Medical Care Plan (MCP) numbers, and personal information including birth dates, email addresses, maiden names, and social insurance numbers. Employee data was also stolen.
Last summer it happened to a chain of fertility clinics in northern Illinois. Last week, Florida’s Broward Health, which operates five hospitals, four outpatient centers, and one urgent care center, disclosed details of a breach of patient and employee records that took place in October.
There will be more. Lots more, even though the problem is hardly a new one. Ten years ago, in 2012, Health and Human Services (HHS) stated it “needs to heighten its focus on oversight and enforcement of privacy and security protections to ensure that health care providers and the Department’s own systems and contractors effectively safeguard individuals’ protected health and other sensitive personal information.”
What Are Hackers Doing With This Data?
What Makes It Valuable?
It can be used for perpetrating multiple kinds of frauds against vulnerable systems with little oversight that have access to literally billions of dollars, including Medicare, Medicaid, and insurance companies.
The reality is these attacks will not stop. The rewards are simply too alluring to thieves.
Unfortunately, hospitals will continue to be prime targets for data breaches because of the value of sensitive health information in the black market in comparison to other sensitive information, like payment information. Compromised PHI (Protected Health Information) also often comes with PII (Personally Identifiable Information). Thus, it’s unlike a payment breach where I can call my credit card issuer and request they freeze all new transactions, and request a replacement card which is immediately sent out to me. That’s not possible with a PHI breach — when sensitive health information like a terminal medical condition or incurable disease is breached, there is not much I can freeze or change, and all of my personal data is attached to those records.
No one chooses a hospital-based on an assumption that they practice good IT security hygiene; people choose a hospital based on the doctors, the services, and the latest technologies they’ve employed to diagnose or assist in the fight for good health. Even in an era where there are exploding cyber-attacks including ransomware, hospital budgets are constrained and constantly under scrutiny and IT costs (including security) are often held to a bare minimum.
Sadly, the general public suffers from blind faith that all healthcare providers (and this includes hospitals and doctor/patient facilities) adhere to the latest IT security best practices. They don’t. Generally speaking, while hospitals employ IT security controls, their efficacy may be questioned as to the threat environment continuously evolving and the readiness of the staff may be questionable — they may not be skilled or properly equipped to deal with the latest threats and exploits in a timely way. Additionally, when it comes to the hospital’s budget, emphasis is placed on the purchase and maintenance of the latest medical tools, techniques, and service offerings – items that are tangible to the patients and their care; not tools to combat IT and cyber threats. And most patients want it that way. Ideally, with the increasing escalation of ransomware costs and lawsuits, issues with data and service availability, and other cyber-related issues, hospital executives will open their collective eyelids to see the extensive damage such cases can bring to their institution’s reputation and begin allocating the needed or required resources.
Until that happens, TPRM controls should be reviewed and monitored in relation to your organization’s exposure to medical records and medical facilities. Additionally, advocating for increasing IT budgets and threat assessments for the medical industry should be top of mind for consumers, patients, and providers at every level.