FLORA — The FBI and police are investigating a blackmail threat against Clay County Hospital in which someone stole the confidential records of more than 12,000 patients and threatened to release them publicly unless a "substantial payment" was made.
“Someone got a hold of patient data and is holding it for ransom," said Lisa MacKenzie, a spokeswoman retained by the hospital to answer questions about the theft. "The hospital has alerted the national and local law enforcement to deal with the issue.”
The hospital received an anonymous email about the theft on Nov. 2 that included the demand for money, said MacKenzie, who would not disclose the amount of money demanded.
The compromised information includes names, physical addresses, Social Security numbers and dates of birth, according to MacKenzie. It does not include any medical information, she said. The hospital notified patients about the problem on Dec. 15 by first-class mail.
The issue has gained national attention in recent weeks with the theft and public release of confidential emails and employee records at Sony. Experts say health information is becoming a popular target.
“Health insurance information is worth more on the black market than credit card information,” said Michael Sacopulos, of Medical Risk Institute in Terre Haute, Indiana. “They can sell the information, which has been used to submit false health claims.”
There's no evidence that the information taken from Clay County Hospital has been used for any other illegal purpose than the blackmail threat, MacKenzie said. She noted that little else can be released about security breach because of the investigation by local and federal authorities.
“This hospital takes patient privacy very seriously,” said MacKenzie. “They are following appropriate channels to notify people of the issue.”
MacKenzie said the patients whose records were compromised haven't reported problems with identity theft. The stolen information was from patients of the Clay County Hospital Clinic during or before February 2012.
MacKenzie said it does not appear that outside hackers gained access to the information.
“Extensive reviews from outside forensic experts concluded that Clay County Hospital servers have not been hacked and remain secure due to the rigorous security program" that meets the standards set by privacy laws," the hospital said in a statement released by MacKenzie. "In order to prevent future incidents, Clay County Hospital is implementing extra internal security measures. These include additional logging systems and auditing features to track and control data access.”
Sacopulos, the security expert, said the FBI sent a notice to health care providers earlier this year warning that hackers are targeting medical information. The issue affects hospitals of every size, Sacopulos said.
“The information from a Clay County Hospital is worth the same as medical information from a hospital in Manhattan,” said Sacopulos.
Current estimates are that five percent of hospital patients in the United States have had their identity stolen, he noted.
“One of my biggest fears is that if someone actually uses the insurance information to see a doctor, and the incorrect information goes into the wrong medical record, you can imagine the problems that would cause,” said Sacopulos.
He pointed to a case in Arizona last year in which a patient filed false medical information to receive a heart transplant.
Sacopulos said the problem is compounded in smaller hospitals, where there is less security and proper training isn't always provided to employees about bad security habits.
“It's not that your firewall is bad, but that employees haven't been properly trained,” he said. “Clicking on links where they are a victim of phishing is a big problem. They also use a weak password, or don't use one at all.”
Patients with questions regarding the incident can visit myidcare.com/claycounty or call 1-888-281-7040 Monday through Friday from 9 a.m. to 9 p.m. Eastern Time.
Your info has been hacked, now what do you do? B5