Why is PHI Valuable to Criminals?
PHI is valuable to criminals – valuable enough that cybercriminals devote significant time and resources to stealing it. But what precisely about PHI makes it worth money? PHI is not currency (like diamonds or gold) that the entire world recognizes and barters with, and it is not inherently valuable, like a coupon or a sale in which something is purchased at a discount that allows someone to save money. The issue of why is PHI valuable to criminals is discussed below.
Why is PHI Valuable to Criminals? Shelf-Life, Extortion, and Fraud
One reason as to why is PHI valuable to criminals, is its extended “shelf-life.” A cybercriminal who steals a credit card or credit card number can quickly obtain cash. However, the credit limit of the card limits the amount of cash that can be stolen. In addition, once a card has been “maxed out,” the card issuer will either cancel the account altogether (if the theft is not reported), or issue the cardmember a new card (with a new account number) if the theft is reported. At this point, there is nothing left to steal.
PHI is valuable to criminals because there are a number of ways that health information can be used to illegally make a profit. These include, to name just a few:
Extortion (commonly referred to as blackmail). Extortion is the illegal threatening or intimidating of someone to get that person to do something. Here, a cybercriminal will demand an individual to pay money. If the individual doesn’t, the cybercriminal will expose private and potentially embarrassing medical information. Once a cyberthief is in possession of potentially embarrassing PHI, the cyberthief can literally wait years to extort someone over it. Extortionists frequently carry out ransomware attacks to obtain unauthorized access to PHI. They then demand that unless the victim pays a large sum of money, the PHI will be publicly revealed.
Fraud. Fraud is another common answer as to why is PHI valuable to criminals. Fraud is misrepresentation someone relies on, to trick that person into doing something. Healthcare fraud involving PHI consists of (among other tactics) a criminal’s using a valid healthcare card to obtain medical equipment, which the criminal then sells at a profit. The healthcare card can be the criminal’s own card. The criminal will commit the fraud by misrepresenting (sometimes with the use of a doctor’s note, which may be forged) that he or she needs a particular piece of medical equipment. Once the criminal receives the equipment, it is then sold at a profit.
Identity theft. Identity theft is a type of fraud, in which a criminal assumes the identity of another person by using that person’s PHI, including bank account number, Social Security number, or credit card number, to open a fake account, or a fake line of credit.
Data laundering. Data laundering occurs when a cybercriminal sells PHI to an institution from which the PHI was stolen. The stolen PHI is sold back to legitimate businesses.
Why Is PHI Valuable to Criminals? The Big Picture
The combination of two or more pieces of PHI can be more valuable than a single piece. The more PHI a criminal has access to, the more thorough the criminal can create a complete identity of a person. The criminal can sell this identity to multiple buyers. A cybercriminal can sell PHI on the dark web. The buyer can then resell the information to someone else. The same “set” of PHI can be sold and re-sold over and over again, thereby increasing its value.
PHI is valuable to criminals for reasons other than money, as well. Hackers acting on behalf of a government or terrorist organization can hold PHI for ransom to promote or further a political agenda. In some cases, hackers will deliberately use malware to sabotage records or disrupt performance of medical devices, to endanger people’s lives.
