Data breaches threaten patient records
Your private medical information is under threat. That’s according to a study that found almost 30 million health records nationwide were involved in criminal theft, malicious hacking or other data breaches over four years. The incidents seem to be increasing.
Compromised information included patients’ names, home addresses, ages, illnesses, test results or Social Security numbers. Most involved electronic data and theft, including stolen laptops and computer thumb drives.
The study didn’t examine motives behind criminal breaches, or how stolen data might have been used. But cyber-security experts say thieves may try to use patients’ personal information to fraudulently obtain medical services.
Honest errors and dishonest hacks
Cases that didn’t involve malicious intent included private health information being inadvertently mailed to the wrong patient.
Hackings doubled during the study, from almost 5 percent of incidents in 2010 to almost 9 percent in 2013. Hackings are particularly dangerous because they can involve a high number of records, said Dr. Vincent Liu, the lead author and a scientist at Kaiser Permanente’s research division in Oakland, California.
“Our study demonstrates that data breaches have been and will continue to be a persistent threat to patients, clinicians and healthcare systems,” Liu said.
The study appeared in a recent issue of the Journal of the American Medical Association.
A JAMA editorial says there’s evidence that the incidents are leading some patients to avoid giving doctors sensitive information about their health — including substance abuse, mental health problems, and HIV status.
“Loss of trust in an electronic health information system could seriously undermine efforts to improve health and healthcare in the United States,” the editorial said.
Don’t fall for phishing
Patients should be alert to cyber threats, including “phishing” emails from hackers posing as doctors, hospitals or health insurance companies, said Lisa Gallagher, a cybersecurity expert at the Healthcare Information and Management Systems Society.
Those messages require clicking on a link to get information, which is how the hackers get you to their fake websites where they can ask you to provide private information. Instead, patients who receive such requests should call the purported sender to verify whether the email is legitimate, she said
Patients should also double check doctor bills and other insurance company information.
“Don’t throw away your “explanation of benefits” forms. Take a close look at them,” Gallagher said. “If you see care [billed for] that wasn’t provided to you, or dates and names of providers that don’t make sense, go to the provider and report that.”
For the study, Liu and colleagues analyzed an online database regulated by the U.S. Department of Health and Human Services and containing mandated reports of breaches in health information protected by federal privacy law.
Over the four years, 949 data breaches were reported across the country. The numbers climbed annually, from 214 in 2010 to 265 in 2013. Nearly 60 percent involved theft.
Prominent cyberattacks affecting two health insurance giants happened after the study. Last May, a data breach hit Premera Blue Cross, affecting about 11 million customers and others. And between last December and late January, hackers accessed an Anthem Inc. database with information on nearly 80 million people.
Authorities believe hackers in China may be behind both attacks, Gallagher said.
She said cybersecurity was among key topics at her nonprofit group’s recent annual meeting. Members include doctors, hospitals, health plans and sellers of electronic health record products.