Stolen medical identities
You’ll cancel your stolen credit cards. If you’ve had your S.I.N. stolen, Service Canada can issue you a new one. But you’ll have a hard time removing scars or a family history of diabetes. Not only is health data permanent but medical records contain information on patients’ finances and physical traits, so breaches in the healthcare sector are the most expensive of any industry, according to the Ponemon Institute’s 2015 Cost of Data Breach study.
David Finn, a healthcare IT officer at the cyber security firm Symantec, says health records sell for between $50 and $200 U.S. on the black market. If a hacker is looking for data on someone specific, costs climb to $600.
But it’s worth a hacker’s while to shell out for medical info. For starters, physical descriptors are essential for creating fake identities. There are “pretty sophisticated guys who can look at things like birthmarks or scars and use them to create visas [and] passports,” says Finn. A well-forged American passport, RT.com reported in 2009, could go for $7,500 on the black market.
Other thieves use victims’ insurance to pay for medication. Finn points to one mother who, out of the blue, received a call to renew her 10-year-old’s OxyContin prescription. It turns out hackers had stolen the child’s medical identity just after birth, and “pill mill” doctors who don’t bother examining patients had been prescribing her narcotics for years. The doctored records hadn’t yet created any problems, but as she grew older, it could have led to inaccurate diagnoses or even refusals for disability insurance.
Michelle De Mooy, deputy director of consumer privacy at the Center for Democracy and Technology, emphasizes that unlike the financial industry, American health insurers don’t have to inform patients when they notice potential fraud, so “consumers are often left with footing the bill to remediate any damage to their records.”
Hackers can wreak havoc from hospital charts alone; that damage will only increase as more records include highly specific genetic tests like DNA sequencing. “At that point,” says Finn, “if you’ve got someone’s genetic map and wanted to do dastardly things to them, you really begin to have the capabilities, assuming you can manufacture drugs and inhalers.”
But we’re not there yet. Last year, The Washington Post reported “MRI exams and CT scans of a patient’s head could be used to reconstruct a person’s face,” which hackers could then match to Facebook photos. Dr. Judith Coret-Simon, an associate professor of radiology at McMaster University in Hamilton, Ont., respectfully disagrees. “For skin lesions or bony lesions, there is a 3D reformat protocol that can be done… [It provides] coarse contours of the head and face, but it is not meant for facial features.”
For a 2006 study in Forensic Science, Medicine, and Pathology, facial reconstruction practitioners used virtual sculpture tech to create fairly accurate images based on CT scans. But even if anatomically educated hackers had access to the expensive tech, “we can’t predict anything that cannot be determined from the skeleton,” says Caroline Wilkinson, the study’s lead author and the director of the Face Lab at Liverpool John Mores University. Without DNA evidence, she says, traits like eye, hair and skin colour are impossible to figure out.
So relax. While thieves can profit from your scars, it’ll be a few years before they can steal your S.I.N. from the shape of your skull.
Copyright 2015 Rogers Publishing Ltd. This article first appeared in the Fall 2015 edition of Corporate Risk Canada magazine