Cybercriminals increasingly are using stolen medical records for other types of identity theft beyond health-care fraud, including filing fraudulent tax returns.
Last year, almost 100 million health-care records were compromised, making them a hacker’s No. 1 target, according to a report by IBM. Now, hackers have realized “you can use those profiles for normal fraud stuff,” wrote one seller of medical records on a website shown to CNBC by IBM.
Hackers sell the medical records to other criminals on the so-called dark Web, a portion of the Internet not indexed by search engines. In order to access these websites, you need to download a special browser.
More than 30 breaches of health-care data involving 500 or more people have already been reported in 2016, according to the U.S. Department of Health and Human Services’ Office for Civil Rights.
Tax fraud expected to rise
Along with that bounty of personal information compromised by hackers in health-care breaches, experts expect a similar increase in tax fraud this year, possibly rising to as much as $21 billion, according to the IRS.
In fact, the agency has suspended processing of 4.8 million suspicious returns so far this year, worth $11.8 billion, the IRS said in an email to CNBC. Among that number are 1.4 million returns with confirmed identity theft, totaling $8.7 billion.
Some fraudulent returns do get through. The Government Accountability Office found that in 2013, the IRS paid out $5.8 billion in tax refunds where the victim’s identity was stolen.
Cashing in on medical breaches
The fake tax returns are part of how cybercriminals cash in on big breaches. They work like organized crime rings, with “specialists” for each part of the attack.
“You have experts in different fields. There are those who are great at obtaining information. And then there are other guys, who will buy this data and use it to commit fraud,” said Etay Maor, an executive security advisor at IBM Security.
Health-care records fetch higher prices, as much as 60 times that of stolen credit card data, because they contain much more information a cybercriminal can use.
“Criminals want what they refer to as fulls, full information about their victim. Name, birth date, Social Security number, address, anything they can learn about their victim. All that information is in your health-care records,” said Maor.
Part of the reason for the higher prices is that while credit card numbers can change, your Social Security number generally stays the same.
“As long as entities use Social Security numbers to authenticate you, the criminals will have a record that is never-ending,” said Maor.
Read More: Be prepared: It’s tax-return fraud season
While a Social Security number can be purchased on the dark Web for around $15, medical records fetch at least $60 per record because of that additional information, such as addresses, phone numbers and employment history. That in turn allows criminals to file fake tax returns.
Surprisingly, the dark Web is actually easy to use, with websites resembling those of popular e-commerce sites.
“It’s exactly like going on a store for criminals. Criminals actually take the time to write reviews about their fellow peers and how good the information they sold was,” Maor said.
Safe guard your information
To protect yourself, Maor said avoid giving out your Social Security number, even to your doctor.
“Every time you give information to any entity, you’re actually exposing yourself in one way or another. If your doctor asks you for your Social Security number you should not be afraid to ask why. Why do need that information to take care of me?” Maor said.
Read More: E-filing taxes? Watch out for fraud.
In most cases, health-care providers do not need your Social Security number. If the doctor insists on having it, Maor suggests you ask for a changeable PIN as a substitute to authenticate you.
Experts also advise you file your tax returns as soon as you can. Filing earlier gives criminals less time to file a fake return in your name.
Security experts also say if you have been a victim of a health-care breach you should monitor your brokerage, bank and credit card accounts for any unusual activity.
You should also let the three major credit reporting companies — Equifax, Experian and TransUnion — know so they can place fraud alerts on your account.
In addition, you should take advantage of free credit monitoring that may be offered to victims of breaches.