The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the public perception of the presidential candidates. Moreover, never before have the personal health histories of the candidates figured so prominently in efforts to qualify or disqualify them as fit or unfit to serve as president.
A report released this week by Intel Security reveals the ease by which nation-states, domestic political actors, corporations, or activist groups could steal and expose the medical records of political opponents in the same way that the disclosure of incriminating email messages, video recordings, private documents, and speech transcripts has already been used as a political weapon in 2016.
The market for your medical data
The report shows that huge caches of detailed medical records can be purchased for a mere $0.03 to $2.42 per record and browsed to identify the names of political candidates and their family members. Such records contain protected health information such as family names, mothers’ maiden names, social security numbers, payment card and insurance data, and patient addresses. But they also include more sensitive information such as medical histories, details of medical conditions, mental health issues, medications taken, and the state of treatment for a variety of perhaps embarrassing afflictions or addictions.
Intel Security suggest that cybercriminals already mine and analyze millions of such records, cross-reference them with data from other sources, and assemble profiles around individuals who appear to be the most viable targets for crimes such as fraud, data theft, extortion, identity theft, and blackmail. Such crimes have gone digital along with so many other things in our world, and it is not a stretch to foresee them going political in the near future (assuming they already have not).
The “weaponization” of medical records
Although this political season suggests nothing is truly disqualifying, just a couple of years ago former Florida Governor Jeb Bush was deemed disqualified as a presidential candidate on account of, among other things, his daughter’s very public drug addiction. The theft, identification, and public disclosure of data exposing such cases would constitute a political “weaponization” of personal medical records.
Such a disclosure or threat of disclosure targeting a close relative could certainly prove damaging or threatening enough to force a politician from an election contest, or even out of politics altogether.
In 2016, Republican candidate Donald Trump has been criticized for releasing an allegedly inadequate and unconvincing doctor’s letter attesting to his “tremendous” state of health. The health of Democratic candidate Hillary Clinton has been questioned following the release of a mere four seconds of video depicting her exhibiting dizziness. Though these two candidates are not known for quitting, consider that a disclosure of medical records challenging the “robust health” assertions of most campaign teams might prove pivotal in the final days of a contentious election.
Health care hackers-for-hire
Nor is it a stretch to assert that cyber capabilities—hacking skills, tools, and infrastructure— are beyond the reach of political actors.
Recent press reports claim that around 500 million Yahoo email accounts appear to have been compromised by a mercenary cyber gang. Intel Security has identified cyber gang services available for hire specifically for the purpose of attacking health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches.
In one case, a relatively non–technically proficient cyber thief purchased tools to exploit a vulnerable health care organization, and even leveraged free technical support to orchestrate his attack. The Intel research found that this actor extracted more than 1,000 medical records that the technical support provider said was worth as much as $15,564.
This data breach–enabling ecosystem is so developed that Intel Security was able to uncover the brazen efforts of cybercriminals to recruit as accomplices, through online ads and social media communications, health care industry insiders with workplace access to patients’ information.
Intel Security’s report reveals how financial resources can command the technical means for launching cyber-attacks via a marketplace for health care hackers-for-hire and stolen medical data. All that remains is the motive, criminal or political, and the media opportunity to release damaging data through organizations such as WikiLeaks or press outlets.
To believe that such an event is unheard of, despite evident public disclosure of weaponized emails, video, and documents, would be to ignore that the 2016 US election season has entered the realm of the unprecedented.