Hackers breached whatever firewalls and security measures were present at Premera Blue Cross based in Washington state. The personal, financial, and now even medical information of some 11 million past- and present customers were accessed. The breach may have occurred last May, was detected on January 29, but not disclosed to either the public or regulators until a few days ago. Nice job on the accountability front.
I recently wrote about an even larger breach of security at Anthem where the personal information of almost 80 million people was penetrated. It was not thought that medical information was compromised then, but how can one know for sure? I predicted we would be seeing more attacks on medical record and insurance databases but it is disappointing to see them coming on so rapidly. There are at least two driving forces or enablers. The first follows from Willie Sutton’s law explaining his reason for robbing banks—because that is where the money is. Some 18% of our gross national product fuels the healthcare industry— that is where the real money is. Medical fraud is part of that big business.
The industry enabler is that accessing medical information seems to be so easy. If banks, other financial organizations, or for that matter governments cannot keep their digital records secure, why should we assume for a moment that our medical information will be any less vulnerable to prying eyes? Much has been promised about the value of having our computerized medical records available to us and everyone who takes care of us. We are told that “big data,” the analysis of massive data sets, will revolutionize medicine and save us a fortune. More and more information is being collected with the goal of providing safe and effective medical care of high value and to reduce fraud. The assembly and analysis of medical data is now a big business of its own. Everybody and their uncle wants access to the data– me included. There are any number of business “partners” willing to comb through an institution’s medical data for research, marketing, or business purposes. But to accomplish the above means making it transportable or available and there’s the rub!
Take computerized medical records. I never had to use them as a doctor, and there are many providers that love them, but we are getting more and more pushback from patients and providers alike as the downsides of switching to the digital medical encounter emerge. To make their use practical, providers can access medical records from home or their cell phones. If they can do it, so too can your geeky 14 year-old nephew let-alone a well financed medical voyeur. A major complaint about existing electronic medical record systems is that they do not talk very well to each other or to the insurers and regulators demanding information. Attempts to expand accessibility for some runs the risk of further security comprise for all.
To boast about my sagacity, I predict here and now, that we will have another multimillion-record breach of digital medical information security within 6 months. To demonstrate my confidence in this likelihood, I will accept the wager of a Martini in your favorite Louisville bar or mine. Alas, even if I win, we all lose!
Peter Hasselbacher, MD
President, KHPI
March 18, 2015
No one has taken me up on my bet that we would see another multi-million patient security breach of a health insurance company within 6 months. Three months have gone by but the third latest breach by CareFirst Blue Cross and Blue Shield of Maryland last month was only a paltry 1.1 million members. I am losing my potential bet so far– not to late to clink our glasses together.
Just as sobering is this month’s news that hackers, presumed to be from China, stole serious information including social security numbers of some 4 million former and current federal employees, some in sensitive positions. It seems possible that the hackers are the same ones stealing health insurance records.
Lets face it, if your information is connected to the internet in any way, it can be used by any malefactor with a will to do so. Who will say I am wrong?