Patients at risk of ransom from hackers with stolen medical records

Posted at 10:14 AM, Aug 15, 2016
and last updated 2016-08-16 07:11:32-04

Millions of stolen medical records are up for sale online and hackers are no longer just using that information for identity theft, they’re now blackmailing patients for money.

This is happening worldwide and reports about similar incidents have been made in China and the U.K. after a California hospital paid a ransom earlier this year.

A service provider for Blue Cross and Blue Shield of Kansas City was also recently hit with a data breach where more than 400,000 Missouri members may have had their member information potentially exposed. No health plans’ systems were accessed or affected in any way, according to the Department of Insurance, Financial Institutions and Professional Registration. 

41 Action News uncovered at least 159 million patient records had been breached in the past.  

“People I think just don't realize how at risk they are,” said Kansas City attorney Maureen Brady. “Devastation, humiliation, embarrassment. [Patients] want to make it all go away. In an instant their life changes.”

Here is a map showing all of the hospitals in Kansas and Missouri affected by breaches.

Patient Blackmail

Brady's law firm McShane & Brady represents patients extorted by hackers or at risk of ransom because their personal files were stolen online.

“They go to the individual patients and say, ‘Hey, I’m going to release your medical records to people you don’t want them released to if you don’t give me a certain amount of money,’” said Brady.

McShane & Brady expect more extortion victims because of more medical record thefts.

Kansas Lawsuit

The law firm is currently suing Valley Hope - a Kansas based drug and alcohol treatment facility with a clinic in Overland Park. 

“They’re dealing with very vulnerable people. People who have been struggling with drug and alcohol issues and that’s not something that people want out,” Brady said.

Valley Hope began notifying patients in February that someone stole an employee's laptop out of their car and it's still missing. Brady says the unencrypted laptop contained more than 52,000 patient records dating back to 1999. It’s the largest breach ever in Kansas.

“They absolutely were reckless in not locking down this information,” Brady said. “52,000 people are at risk to have their medical records distributed or used as ransom.”

We called Valley Hope, but a representative would only point us to their website which just offers one year of free credit monitoring for affected patients. 

Millions Exposed

Valley Hope is among thousands of health care providers investigated since the HIPAA privacy rule began in 2003.

In just the past seven years, the federal government reports at least 159,000,000 patients had their medical records breached -- many happening online.  

Cyber crimes is one of the FBI’s top investigative priorities,” said Bridget Patton with the Kansas City FBI office.
The FBI is the lead agency investigating online crimes and its website says “the threat is incredibly serious - and growing.” 

“Cyber crimes can run the whole gamut. You are seeing so much more with today’s technology,” said Patton.

Government Fines

Data breaches keep happening even though the federal government has fined health care providers more than $36,000,000 over the years for not securing patient information. 

Millions For Sale

Just this summer, a hacker started selling 655,000 medical records online that were all stolen from healthcare providers, including from one in Farmington, Missouri.  

The HIPAA Journal also reports that even more hackers on the DarkNet are selling millions of stolen medical records.  

Threat Not Immediate

Patients might not even notice the threat right away.

“Usually the hackers take a year or more to use this information. So the moment that the hack occurs isn’t the risk, the risk comes actually many years later,” Brady said.

Impact Forever

Breaches of your medical records could be used against you at any time. Brady says she's seen patients affected after their private information became public.

“You’re never going to be the same. So no matter where they go, no matter who they talk to, they’re always going to be wondering have you seen my medical record? Do you know what's really going on,” Brady said.

Don’t Pay Ransom

So what do you do if you’re the victim of blackmail by an online hacker?

“We want you to contact law enforcement, your local FBI office immediately,” said Patton. “The FBI does not support the paying of a ransom.”

Kansas City attorney Maureen Brady agrees after she’s seen patients face extortion from hackers. “Paying the ransom is just going to lead to more demands. It just won’t end,” Brady said.

Encourages Criminals

Besides no guarantee of recovering your stolen information, the FBI says paying a ransom just encourages more crime.

“It could be being used to fund other illegal activity of criminals, but it also could be offering basically an incentive for additional criminals to get involved in this type of activity,” Patton said.

Ask Health Providers

McShane & Brady Law Firm recommends you to ask your health care provider if they encrypt your medical information, how often they train staff on privacy laws, and if they use a layered approach to allow just your doctor to see your personal information.

“You’d be surprised how often healthcare providers get busy. They rely on other people to do their training, they rely on other folks to hire the tech guys,” said Brady.

File A Complaint

You can file a complaint with the federal government if you think your personal medical information has been breached: whether it’s happened by a person, disclosure of paper records or online records by theft, loss or mishandling of information. 



Patrick Fazio can be reached at

Follow him on Twitter

Follow @PatrickFazio

Connect on Facebook