An IBM security expert explains why, and how he was an ID theft victim himself.

Even a computer security expert can have his identity stolen.

That’s what happened to John Kuhn, a senior threat researcher at IBM Security Services, when he got an X-ray at a local hospital. He says the hospital’s security was compromised and his medical records stolen — resulting in a “$20,000 or $30,000 surgery” being done to someone else in his name. He had to drive down to the hospital to prove it wasn’t him.

“It happens to the best of us,” he says.

Of course, it happens to millions of other people, too. Individual data breaches last year fell overall, according to an IBM study, but the strength of those cyber attacks have increased significantly. In other words, it’s not just credit card numbers that the thieves are after anymore.

“The hacks are growing more sophisticated and more targeted,” Kuhn says. “Instead of trying to attack a broad spectrum of retailers, they’re narrowing their amount of attacks — but increasing their potency. They’re looking for an easy target with huge financial gain.”

Medical records are the new target

In his experience of monitoring criminals, Kuhn says he’s discovered one consistent factor: They’re lazy.

“They don’t want to work hard for it,” he says. “They want to be able to walk in and walk out with a large heist.”

This tendency propels them toward big targets like retail chain stores, which have huge databases and a lot of room for human error — because the more employees a company has, the more likely one of them got sloppy with security.

Employees need to be equipped to deal with hackers looking for “a little chink in the armor,” Kuhn says. Often, employees represent the softest spot to attack:

Interestingly, Black Friday and Cyber Monday were actually down last year from 2013. Kuhn attributes this to hackers ignoring retail point-of-sale systems and bagging more valuable records elsewhere, like at a hospital.


The FBI says  a set of stolen medical records are worth about $50 on the black market, while a stolen credit card number is worth $1 to $5. So Kuhn thinks that hospitals are the next big target.

“If I can dump a million records at $50 a record, that’s quite a haul for a criminal,” he said. “The upcoming danger truly is medical record information.”

The real cost of data breaches

According to another IBM study, the average cost that an company incurs for a data breach is $5.9 million, up from $5.4 million a year ago. The cost per stolen record rose from $188 to $201.

And there’s a higher cost that comes later: A record 15 percent of consumers terminated their relationship with a company due to distrust in 2014.

IBM predicts a “material data theft of 10,000 records” has a 19 percent probability of happening at any decent-sized company over the next two years.

“The threat is there, and it’s only a matter of time before it happens.”

While IBM is urging these companies to spend more time and money on security, what can you do? Read’s free advice on How to Prevent Identity Theft.

Meet the Author

Jess Miller

Jess Miller


Miller is the former assistant editor of


identity theft, scams, theft

Related Posts

Article last modified on March 9, 2018 Published by, LLC . Mobile users may also access the AMP Version: IBM Predicts Fewer Data Breaches in 2015 — But More People Might Get Hurt - AMP.