Yesterday I wrote about the major breach of privacy of protected personal medical information involving the major health insurer, Anthem, by an as yet unknown hacker. As many as 80 million individual patients were put at risk. I expressed my opinion that such breaches are to be expected in our current healthcare world. Subsequently, in coverage of the matter by Modern Healthcare, it was noted that the largest previous breach resulting from hacking was a 2014 episode at Community Health Systems of Tennessee. That cyber-attack — involving a mere 4.5 million records — is thought to have originated in China.
Being a curious sort, I extracted all the HHS reports of breaches involving more than 100,000 records. It can be viewed here. There have been 40 instances of such breaches reported to the Office of Civil Rights in HHS, 10 of these greater than a million. A total of 33.6 individuals were exposed. In these breaches, the covered entity compromised was a Business Associate in 19, Healthcare Provider in 14, and a Health Plan in 7.
While physical theft of records in one form or another remains a common type of major breach, it is clear that the ability to penetrate network servers by theft, hacking or by unauthorized access provides the best high-yield approach for data-thieves. It is also clear that business associates of healthcare providers and plans are a weak link. Why am I not surprized?
Inspection of the names of the covered entities reveals a wide range of entities including: health plans, medical centers, state & federal government agencies, contractors & consultants, and drug stores.
It should be noted that the fact that a breach occurred did not necessarily mean that the data was misused— a thief may have just wanted the laptop! However, potential misuse is always a possibility. Recall that only breaches involving more than 500 individuals appears on this government list, and that the number of breaches of any size not reported or recognized is completely unknown.
Peter Hasselbacher, MD
Feb 17, 2015
Healthcare data unchained!
We often hear the aphorism, “Anything put on the internet, stays on the internet.” I suggest a corollary, “Anything put on a computer can be retrieved by a determined inquisitor.” So it is even for the most intimate of personally identifiable information – healthcare records. Given massive nationwide efforts to digitize our healthcare encounters, and given the frequency with which those digits are shared among insurers, contractors, researchers, public health officials, health information exchanges, pharmaceutical companies, healthcare providers, and the host of other interested parties who claim a legitimate interest, it is inevitable that data will go astray and be misused – illegally or inappropriately! It is said of computer hard-drives that one does not ask if a failure will occur, but when. I maintain that the same dictum holds true of personal health information. If computer-wielding crooks can steal from banks (which we assume use the highest degree of on-line and network protection), how impregnable is the healthcare industry? Apparently not so much.
Big data-hack at Anthem.
Earlier this month, health-insurer behemoth Anthem announced that the personal healthcare and credit card information of as many as 80 million of its customers may have been compromised. A secondary wave of attacks is already occurring as scammers send email warnings pretending to be from Anthem or credit-protection companies seeking to extract even more personal information from frightened Anthem customers. The Anthem breach strikes close to home. At last week’s UofL board of Trustees meeting, it was announced that some 5700 UofL employees might be on the Anthem list. I may be one of them. Not a good feeling. I feel violated enough when my personal healthcare information is being used to target me with marketing propaganda cloaked as important medical information. Having the same information in the hands of bona fide crooks gives me the willies. Continue reading “Breach of Personal Healthcare Information at Anthem.”
Yesterday, Phil Galewitz reported for Kaiser Health News (reprinted in USA Today) on a practice that is one of my biggest disappointments in our health care system, the sale of our personal health information for the benefit of someone else. I do not mean the use of de-identified medical information to improve public health, medical quality, enhancement our ability to treat disease, or even for law enforcement. I am talking about the use of your individual health information to try to sell you something else that you may or not need. Did you ever wonder why all of a sudden you started getting ads for diabetes supplies? Or why ads for erectile dysfunction started arriving in your mailbox as well as your email? It is because your personally identifiable medical information is being shared to improve the bottom lines of those who have access to your medical records. The story highlighted the practices of hospitals that use information from their medical records to peddle other services to their current or former patients Partnering with mass marketing companies, your hospital knows a lot more about you than is present in their records. For example, if you smoke, you get a directed ad for lung cancer screening. Believe me, when you come in for a “screening,” something can almost always be found that ”needs” to be done. Screening can be a hospital’s or doctor’s best friend. It all depends on how ethical or financially strapped the provider is that determines how far evidence-based scientific medical practice will be stretched. Examples of abuse are easy to find. Continue reading “Loss of Medical Privacy? Is that OK?”