The frightening new frontier for hackers: Medical records

By Brigid Sweeney, Crain’s Chicago Business  | April 10, 2017

If you’ve ever had your credit card or bank account hacked, consider this grim new statistic: By 2024, everyone in the U.S. will have had their health care data compromised if online theft keeps accelerating at the current pace.

As health records have gone digital in the past seven years, they’ve become far more vulnerable to poaching—and far more valuable to thieves, who can sell a complete medical record for more than $1,000 on the darknet. That’s because the records contain not just your insurance info—which can be used for fraudulent billing and prescriptions—but also Social Security, driver’s license and credit card numbers. As a result, the health care industry is scrambling to play catch-up to secure patient and hospital data.

Health care has lagged far behind banking, financial services and retail when it comes to implementing security protocols. Until Obamacare mandated electronic records, many medical providers still operated with paper, faxes and handwritten charts. Once electronic systems were finally implemented, the industry struggled to attract top IT talent to protect them.

The access issues are industry-specific. “Security in health care has some unique challenges because we have to share data in ​ order to save lives while also protecting patient information,” says Steven Smith, chief information officer at Evanston-based NorthShore University HealthSystem. “If you think of a bank, your financial information is locked up and not shared. But we need to share our data with our doctors, nurses and outside payers, as well as with the patients themselves.”

IT security experts say it’s tough to overstate the enormity and frequency of the threats, which have skyrocketed in the past decade as everything has become exponentially more networked. “Let’s put it this way: I’m currently on-site with a client, dealing with a breach,” says Mick Coady, a partner in PwC’s Health Information Privacy & Security practice in Austin, Texas, who works with major health care clients across the country.

So far in 2017, 79 security breaches, each affecting at least 500 patients, have been reported to the U.S. Health & Human Services Department. That’s more than five incidents a week. Only one, involving Walgreens Boots Alliance and 4,500 records, took place in Illinois. Still, the state has experienced nearly 100 incidents since 2010, according to the HHS breach portal, known as the “Wall of Shame” to security professionals.

Major hospital systems here are beginning to pay the price as HHS levies fines on providers who have lost sensitive patient data. In January, Chicago’s Presence Health agreed to pay $475,000 to HHS for failing to report in a timely manner a 2013 breach involving missing paper schedules containing patient information. Presence is “working diligently” on a corrective plan, including additional security training for staff, a spokesman says.

That figure pales in comparison to the $5.5 million shelled out by Advocate Health Care in August. The Downers Grove-based hospital network agreed to pay HHS the largest settlement ever by a single entity for potential violations of federal patient privacy law related to three separate 2013 breaches that compromised the data of 4 million people. Two of the incidents involved stolen employee laptops, while a third involved a consultant’s potentially unauthorized access to patient records. Since then, Advocate has “enhanced (its) data encryption measures,” says a spokeswoman, adding that there’s been no indication the information was misused.

Nationwide, IT breaches cost the industry more than $6 billion annually—a number that grows each year, according to the Ponemon Institute, an IT security researcher.

Hospitals and physicians’ practices make enticing targets. For starters, the protections are lax. “Based on our testing, health care applications performed more poorly on just about every (security) measure than applications in any other industry,” says Tim Jarrett, a senior director of product marketing at Veracode, a Boston software security firm.

Then there’s the industry’s personnel problem. “The U.S. has a huge shortage of highly qualified cybersecurity people across all industries,” says Rod Piechowski, a senior director at the Healthcare Information & Management Systems Society, or HIMSS, a Chicago-based nonprofit with more than 50,000 members. “Being late to the game, health care just can’t compete.”

Although they’re in high demand, IT professionals in health care historically have not had a major say in their employers’ procurement process, unlike in other industries, according to Jarrett. Until recently, security wasn’t prioritized the way it was in finance or banking, and, as a result, network administrators couldn’t effectively lobby manufacturers to increase software security standards, so they often ended up overseeing systems that are tough to keep safe.

Plus, it’s not just computer and billing systems that are vulnerable. Medical devices from insulin pumps to pacemakers store information wirelessly. Several years ago, former Vice President Dick Cheney revealed that, while he was in office, his doctors had disabled his heart implant’s wireless connection because of a fear of assassination attempts. More recently, Johnson & Johnson warned customers about a security problem with one of its insulin pumps.

Some medical devices aren’t made to allow any remote management, which prevents IT people from detecting problems and installing updates efficiently. Once tech teams are saddled with subpar systems, they’re really stuck—because medical equipment tends to have a much longer life cycle than consumer electronics. Jarrett says he knows of one Midwestern drug company where computers that prepare prescriptions​ for patients use Windows XP, a 16-year-old operating system that stopped being supported in 2014. “That’s horrifying,” he says.

Source Link: Modern Healthcare

Wrong-patient surgery risks Massachusetts hospital’s Medicare funding

Wrong-patient surgery risks Massachusetts hospital’s Medicare funding

Worcester, Mass.-based St. Vincent Hospital could lose Medicare funding Dec. 12 unless it fixes patient identification issues that led clinicians to remove a healthy kidney from a patient earlier this year.

According to the Boston Globe, a surgeon checked a patient’s CT scan that showed a tumor in the left kidney, and the surgeon proceeded to remove the left kidney during surgery. However, the CT scan checked prior to surgery was for a different patient who happened to have the same name, and the left kidney that was removed was perfectly healthy.

A hospital spokesperson told the Telegram the patient’s physician misidentified the procedure the patient needed before the patient was admitted to the hospital.

However, CMS and state Department of Public Health officials conducted an investigation into the wrong-patient surgery and uncovered other patient identification problems in the sample records they examined and discovered operating room computers showed patients’ names but not birth dates. Additionally, the investigation report notes St. Vincent did not take corrective action even after its own internal investigation.

St. Vincent has submitted an improvement plan to CMS, but a follow-up survey has yet to be conducted, according to the Globe. If the problems are not fixed before Dec. 12, St. Vincent will be terminated from the Medicare program.

“We are working to implement enhanced safeguards as identified in the CMS survey, including additional verification steps with physicians,” a hospital spokesperson told the Telegram in an emailed statement. “This was a deeply unfortunate situation and we will take all steps necessary to prevent it from happening again.”

 Source Link :

NYC Pair Pleads Guilty For Their Role In Mortgage Scheme Against Flaherty Funding

ROCHESTER, N.Y.—Acting U.S. Attorney James P. Kennedy, Jr. announced today that Angelo Loissaint, 42, and Jennifer Johnson, 41, both of West Babylon, NY, pleaded guilty to conspiring to commit mail and wire fraud before U.S. District Elizabeth A. Wolford for their role in a mortgage fraud scheme that victimized Flaherty Funding, a mortgage company located in Rochester, NY.

Assistant U.S. Attorney John J. Field, who is handling the case, stated that the defendants worked together to prepare false mortgage applications in the names of straw buyers and used fraudulent supporting documents. Loissant and Johnson worked together with another individual, against whom charges remain pending, to concoct the scheme to obtain mortgage loans from Flaherty Funding using fraudulent information. As a result of the scam, the defendants successfully obtained approximately $1,200,000 in loans, and sought an additional $900,000 for loans that ultimately did not close.

Sentencing for Loussaint and Johnson is scheduled for July 12, 2017, at 2:00 p.m., both before Judge Wolford.

Today’s pleas are the culmination of efforts by the United States Postal Inspection Service, Boston Division, under the direction of Inspector-in-Charge Shelly Binkowski; the United States Postal Inspection Service, New York Division; and the Federal Bureau of Investigation, under the direction of Adam S. Cohen, Special Agent-in-Charge.


CONTACT:      Barbara Burns
PHONE:         (716) 843-5817
FAX:            (716) 551-3051

Source Link:

Fugitive Arrested In $200 Million Credit Card Fraud Scam

NEWARK, N.J. – A New York man was arrested for his role in one of the largest credit card fraud schemes ever charged by the Justice Department, U.S. Attorney Paul J. Fishman announced.

Habib Chaudhry, 49, of Valley Stream, New York, was initially charged by complaint in February 2013 and then by indictment in September 2013. Chaudhry has been a fugitive for nearly four years. He is expected to make his initial appearance later today before U.S. Magistrate Judge Leda Dunn Wettre in Newark federal court.

According to documents filed in this case and statements made in court:

Chaudhry was indicted as part of a conspiracy – led by Tahir Lodhi, Babar Qureshi, Ijaz Butt, and others – to fabricate more than 7,000 false identities to obtain tens of thousands of credit cards. Since then, 19 people, have pleaded guilty in connection with the scheme.

The scheme involved a three-step process in which the defendants would make up a false identity by creating fraudulent identification documents and a phony credit profile with the major credit bureaus; pump up the credit of the false identity by providing bogus information about that identity’s creditworthiness; then borrow or spend as much as they could without repaying the debts. The scheme caused more than $200 million in confirmed losses to businesses and financial institutions.

The scope of the criminal fraud enterprise required the conspirators to construct an elaborate network of false identities. Across the country, the conspirators maintained more than 1,800 “drop addresses,” including houses, apartments and post office boxes, which they used as the mailing addresses for the false identities.

U.S. Attorney Fishman credited special agents of the FBI’s Cyber Division, under the direction of Special Agent in Charge Timothy Gallagher in Newark, with the investigation leading the charges. He also thanked postal inspectors with the U.S. Postal Inspection Service, under the direction of Acting Inspector in Charge James V. Buthorn, Newark Division, special agents of the U.S. Secret Service, under the direction of Special Agent in Charge Mark McKevitt, and the U.S. Social Security Administration for their assistance.

The government is represented by Assistant U.S. Attorneys Zach Intrater and Daniel Shapiro of the U.S. Attorney’s Office Economic Crimes Unit, as well as Assistant U.S. Attorney Barbara Ward, Acting Chief of the Asset Forfeiture and Money Laundering Unit.
This case was brought in coordination with President Barack Obama’s Financial Fraud Enforcement Task Force. The task force was established to wage an aggressive, coordinated and proactive effort to investigate and prosecute financial crimes. With more than 20 federal agencies, 94 U.S. Attorneys’ offices and state and local partners, it’s the broadest coalition of law enforcement, investigatory and regulatory agencies ever assembled to combat fraud. Since its formation, the task force has made great strides in facilitating increased investigation and prosecution of financial crimes; enhancing coordination and cooperation among federal, state and local authorities; addressing discrimination in the lending and financial markets and conducting outreach to the public, victims, financial institutions and other organizations. Over the past three fiscal years, the Justice Department has filed nearly 10,000 financial fraud cases against nearly 15,000 defendants including more than 2,900 mortgage fraud defendants. For more information on the task force, please visit




Cyberattacks could cost healthcare providers $300 billion


by, Chris Nerney

Healthcare providers these days face tremendous financial uncertainty for a number of reasons. To those sources of possible fiscal disruption and chaos we can add costly cyberattacks. A recent report from Accenture predicts that over the next five years U.S. healthcare providers could lose more than $300 billion as a result of coordinated cyberattacks on healthcare IT systems and data.And that’s because more patient data is available digitally than ever as providers push toward interoperability and more coordinated care. As Accenture explains:

“The significant increase in adoption and use of electronic medical records (EMRs) and other healthcare technology has created a wealth of electronic information that includes patient data such as dates of birth, home addresses, social security records, insurance details and medical data. This treasure trove of information is increasingly being targeted by cyber attackers.”

Just last year alone, according to the U.S. Department of Health and Human Services Office for Civil Rights, nearly 1.6 million healthcare consumers had medical information stolen from providers. That figure could be low because providers aren’t required to report breaches involving fewer than 500 people.

Accenture says the hackers are just getting started. The consulting firm’s report, The $300 Billion Attack: The Revenue Risk and Human Impact of Healthcare Provider Cyber Security Inaction, predicts that “more than 25 million people—or approximately one in 13 patients—will have their medical and/or personal information stolen from their healthcare provider’s digitized records between 2015 and 2019.”

This is a problem not just for patients and healthcare IT security experts, but for CFOs and other revenue cycle professionals, according to Accenture.

“In many cases, the patient’s response could be to walk away from the healthcare provider that failed to protect his/her data,” the report says.

Given that providers already anticipate reimbursement challenges as patients struggle with mounting out-of-pocket medical costs, the financial fallout from healthcare data breaches almost certainly will reach straight into the revenue cycle. Accenture estimates that the data breaches reported in 2014 each cost the targeted provider organization an average of $113 million in lifetime patient revenue.

That’s $113 million for each data breach.

The Accenture report lays out five steps healthcare providers can take to protect against cyberattacks. The recommendations (on Page 3) are very IT-specific, but it’s important for all healthcare data stakeholders – including clinicians and the CFO – to have input into establishing cybersecurity priorities and policies.