Medical fraud could increase as hackers gain sensitive medical information on victims

With more health providers and insurers incorporating IT into clinical care, hackers are viewing the health care industry as their next target.

"Cybercriminals know that the health industry is moving into EHRs and there's more data to steal," said Ann Peterson, program director at the Medical Identity Fraud Alliance, an organization that works to reduce medical fraud.

Electronic health records, or EHRs, are increasingly being used by hospitals and doctors' offices to store information such as test results and treatment plans, along with data such as patient names, Social Security numbers and birth dates.

Health insurance companies also use EHRs and store other personal data, such as credit card details, making them attractive targets for hackers. This week, Anthem, one of the largest health insurers in the U.S., said sensitive information on possibly 80 million employees and customers had been exposed during a cyberattack. The information thieves made off with included patient names, Social Security numbers, birth dates and medical identification numbers.

The information can be pieced together and used to commit a variety of types of fraud, making it lucrative for hackers. Social Security numbers, for example, can be used to gain access to bank accounts, noted John Kindervag, a principal analyst at Forrester Research.

By targeting Anthem, hackers were able to access information that is commonly used to reset user names and passwords, said Ian Campbell, CEO of Nucleus Research. People are sometimes asked to enter their mother's maiden name when signing up for services, for example. Since this information is static, it can be combined with a person's email address to reset a person's email account.

"People should ask 'Will I have a problem 10 years from now because someone knows information that's not normally available?'" he said.

The health care industry is especially vulnerable compared to retailers and banks, which are more accustomed to cyberattacks, said Lynne Dunbrack, research vice president at IDC Health Insights.

"Cybercriminals tend to think of health care organizations as soft targets. Historically, they haven't invested much in IT, and security specifically," she said.

More:

Hackers target health care as industry goes digital