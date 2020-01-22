If you think ransomware is just a problem for businesses, think again.
Patients of Dr. Richard Davis of Florida, a plastic surgeon, are being threatened with exposure of their personal health and financial data by a cyber criminal.
The criminal hacked their doctor’s computer and demanded a ransom. He wouldn’t pay and instead contacted the FBI. In response, the criminal contacted each patient to try to collect a ransom from them. In particular, the criminal threatened to release their unflattering pre-surgery photos.
But that’s not all.
In addition to health histories, the doctor had saved on his computer credit card receipts, a photocopy of each patient’s driver’s license, home address, email address, telephone number and insurance policy number. The criminal gained access to all of it.
Up to 3,500 patients’ data may have been taken.
This is a big deal. Hackers love medical data, which is more valuable than a driver’s license. They can sell it to people who can get medical care that they don’t have to pay for, and financial data can allow them to open a new line of credit in your name.
People are pretty aware now of how to check their debit and credit card records for signs of identity theft, and anyone involved in a breach like this should immediately lock down their credit with each of the three credit bureaus.
But what about medical theft?
The first line of defense is to open your mail. Look at every statement of benefits to make sure it’s a medical procedure you recognize. Be especially vigilant about people on your plan who don’t use health care regularly, such as a healthy child.
Secondly, if you see a problem, immediately file an Identity Theft report with the FTC here: https://www.identitytheft.gov/. Notify the FBI as well (google your local office and call them).
And then you’re in for a world of trouble. You need to call up each medical provider for which a service was provided fraudulently. Remember, this isn’t just about the cost. That patient is masquerading as you – meaning that your records are going to have dangerously wrong information now, such as the wrong blood type or drug allergies. You need to get all that corrected at once. (And also, you need to correct it so you don’t have to pay the copays or deductibles!)
You need to get the physical, in print health records from each service, including all personal information – like your address. Correct them in pen and send them back by certified mail, return receipt requested. Include a copy of the FTC report and any other law enforcement reports you have, like an FBI investigation. Keep a copy of everything for yourself.
Then, every time you go to a provider, ask to see your personal information and correct it again if needed.
It is a huge pain. But this is why every company that is hacked should notify customers immediately so that they know to take precautions. Considering the radio silence after the Christmas attack here - which hit dozens of local businesses that have not revealed themselves or whether they lost data - I am not confident we can rely on self-disclosure. So I guess the message really is: open all your mail and read all your bank records, all the time.
