Your Medical Records Are Not As Private As You Think

Information as private as your medical records can be bought and sold on the black market, according to hacking expert Jim Stickley.

“The U.S. Department of Health came out with an announcement that said that over the past five years, their research shows that up to 67 million people's medical records have been stolen,” said Stickley. “And that's an incredible number of records that are out there.”

April Holt knows firsthand the kind of information hackers can obtain. Two months ago, a scammer called Holt saying he was representing Yaz birth control. He asked Holt if she took Yaz in 2001.

“He said there was a class-action lawsuit happening right now and if I would be interested in getting on board with that,” said Holt.

Holt usually knows better than to give in when a stranger calls asking for money. However it wasn’t the money that caught Holt off guard; rather, what the caller said.

“He knew I had taken the pill,” said Holt.

The scammer knew Holt took Yaz in 2001. He also knew she consulted a doctor about a potential blood clot.

Although the scammer has no affiliation with Yaz’s parent company, Bayer, a class-action lawsuit does exist against the birth control company.

Holt decided to contact her local police instead of paying the scammer, and they confirmed that a scam exists. Despite the confirmation, she still had questions regarding how the scammer knew her private information. Could he have just guessed?

“The odds of that have to be astronomical,” said Stickley. “You have a better chance of winning the Lotto than getting that particular person on the phone.”

Stickley adds in this day and age, there’s an easier way.

“It tells me he clearly was looking at stolen records,” said Stickley. “A typical medical record will sell for about $50 per record. Compare that to a social security number, which sells for about $25, or a credit card number which sells for about $10.”

Stickley adds that hackers get your data from mistakes at medical facilities. Problems started when hospitals first transferred data from paper documents to computer. Back then, Internet security was an afterthought.

“And even now,” said Stickley, “you can still find places where people will throw medical records away instead of just shredding them.”

Hackers can also get private information through security and privacy breaches. A security breach happens when a hacker goes into to the system to steal data. Privacy breaches occur when someone within the institution looks at or reveals medical information.

As for Holt, in 2001, she went to UConn Health Partners in East Hartford. UConn Health had a privacy breach last year and told the Troubleshooters they investigated the incident. Their investigation determined the employee did not disclose private information.

So there’s no way of knowing exactly how Holt’s records were compromised. Since we don’t always know where the hackers get our data, we can’t do much to prevent them from compromising our security.

We can, however, avoid falling victim to scammers using our data to extort cash. Lt. Scott Custer of South Windsor Police Department suggests consumers do research before divulging any information over the phone or email.

“In a case such as this, you want to contact the so-called attorney’s office representing the settlement,” said Custer.

The Troubleshooters reached out to Bayer to confirm this scam exists. They sent us a statement saying:

“We are aware that some consumers have received calls from individuals claiming to offer monetary compensation for a Yaz/Yasmin legal settlement in exchange for money wired to the caller.

"These calls are fraudulent and the callers have no connection with Bayer or any of our authorized business partners. Consumers who receive unsolicited communications should not provide any personal information or wire any funds. Complaints can be filed with the Federal Trade Commission (FTC) by calling 877-FTC-HELP or visiting www.ftc.gov.

"Bayer values a consumer’s right to privacy. Bayer does not sell or trade any personal information to third parties.”

Contact Us