Channel 2 Investigates

Medical records are being sold on the black market

ATLANTA — A Channel 2 Action News investigation uncovered the incredible value of black market medical data.

While Social Security numbers are sold for pennies on the dark web, someone's medical record is worth $5.

Jim O'Kane, a victim of ID theft, understands why.

"It's the holy grail, right?" O'Kane told Channel 2 Investigative Reporter Aaron Diamant. "You have to fill out that new patient form, and they basically ask you for everything under the sun."

O'Kane was one of hundreds of victims when a hacker broke into the computer servers of Peachtree Orhopedic.

The Clinic announced the breach in September, but what the announcement didn't say was the hacker, who goes by the name The Dark Overlord, has a history of stealing health data.

First, The Dark Overlord holds the data for ransom. If the medical facility doesn't pay up, that data goes up for sale on the dark web.

"These websites are user-friendly, like Amazon or eBay. You can go on there and take your pick as to what kind of information you want,” said Steven Grimberg, from the Department of Justice.


Former FBI Analyst Willis McDonald agrees.

He told Diamant it would take a cyber-criminal five to 10 seconds to find stolen patient medical records for sale.

"Anybody can do this. Anybody can do this with, you know, very little knowledge,” McDonald said.

But McDonald said the crooks who buy this information can commit fraud on a massive scale.

"These are for more sophisticated criminals that are carrying out long-term fraudulent activity for healthcare fraud, such as filing insurance claims."

In addition to targeting patients, hackers steal doctors' identities.

With that information, cyber-thieves can set up so-called "ghost clinics,” and $5 million worth of bogus claims with Medicare and private insurance companies.

Federal prosecutors have upped their technology game, but it's still incredibly hard to find the hackers.

"By the time we put the pieces together to figure out who that person is, they're in the wind,” Grimberg said.

A federal database of reported medical data breaches shows that 168,917,235 people in the U.S. have been affected by breaches since late 2009.

With an estimated population of 322,761,807 in the U.S., that means more than half of the population has had their medical information exposed, assuming each were victimized only one time.

Security experts say medical facilities are years behind the financial industry in keeping electronic data secure. They say traditionally, doctors have been focused on the health of patients.

Another complication is the so-called "pay and chase system.”

Federal law makes insurance companies pay claims quickly, which leaves little time to identify fraud until after the fact.

"They constantly evolve to evade detection techniques. It's like whack-a-mole game," said Georgia Tech researcher Musheer Ahmed.

Ahmed's developed software that can catch bogus claims in real time.

"Not only does it figure out what claims are risky and suspicious, it gives information on why the system thinks those claims are suspicious," Ahmed told Diamant.

But until the government is able to catch the crooks in real-time, Former FBI analyst Willis McDonald has some advice.

"The best thing that you can do is monitor your accounts, monitor your credit history, monitor your bank accounts and know what's going on. Because it's almost safer to assume that way that your information has already been stolen,” he said.

It's also important to read your health insurance statements.  Make sure when insurance is paying a provider, that it's really your provider.