How many times have your medical records been illegally accessed?
It's a scary thought, but one that many of us will have to get used to unless big changes are made in the healthcare industry. While we tend to worry about web companies like Google, Facebook, and, more recently, Instagram, sharing or tracking our private lives, the real threat to our privacy and identity comes from the shadowy world of electronic medical record storage.
A new study by the Ponemon Institute found that a whopping 94 percent of polled healthcare organizations have suffered 'data breaches' that exposed patient records. That's a 65 percent increase since 2010-2011. Even worse, 45 percent of organizations reported they had more than five significant data breaches in the past two years. Less than half of these hospitals and clinics are confident they can prevent future data breaches or even know they took place.
Backing up this study is a 2012 report from the U.S. Department of Health's Office of Civil Rights, which found that in just three years, nearly 21 million patients became the victims of medical record data breaches.
If that doesn't scare you, it should. Electronic medical records contain such sensitive, personal information as medical diagnoses, treatments, insurance, payment information, Social Security Number and more. Losing a patient's medical record puts that person at risk of identity theft, medical identity theft and other crimes. And yet, in many cases, these records are probably less secure than a personal email account.
Why are so many patient records getting stolen? Here are eight reasons why your personal health records are at risk:
- Hackers - Cyber attacks are on the rise everywhere, but especially when it comes to electronic medical records. Attacks on the computer servers of hospitals, universities, private clinics and health departments are increasing - they now make up 33 percent of all medical record theft, up from 20 percent just two years ago. Unfortunately, healthcare organizations often don't have the best security when it comes to their computer networks - which makes it relatively easy for hackers. Here are just a few of the medical record hack attacks from last year: 780,000 patient records stolen from Utah Department of Health; 315,000 records from Emory Healthcare; 228,000 records from South Carolina Department of Heath; 116,000 records from Alere Home Monitoring, Inc.; 102,000 records from Memorial Healthcare System Florida; 66,000 records from Howard University Hospital - and the list goes on and on.
- Lost or Stolen - Most of the time, however, it doesn't take a high-tech criminal to get patients' medical records - in 46 percent of data breach cases, an employee laptop is simply lost or stolen. It's embarrassing to think that this happens at all, let alone comprises a high percentage of data breach cases. The problem is two-fold: medical records should not be locally stored on a laptop, smartphone, tablet or thumbdrive in the first place; and, secondly, when they are, they should be encrypted to prevent an unauthorized person from accessing them. Healthcare organizations often fail on both accounts.
- Failure to Delete - Believe it or not, old equipment once used by hospitals, doctors' offices and other healthcare facilities is often discarded without fully deleting the sensitive medical records they contain. When devices like PCs, laptops, thumbdrives, copiers, even ultrasound machines, are thrown out or donated, they pose a huge risk for identity theft. The only way to protect patient information is to physically remove and destroy the memory device (e.g., hard drive) - but that advice is not always followed.
- Third-Party Snafus - Many health care organizations outsource medical record storage and management to third-party vendors. The problem is, these vendors may not always be qualified to secure this type of information. In one recent example, Kaiser Permanente is now being investigated for allegedly letting a 'mom and pop' document storage company to keep 300,000 personal medical records in a shared warehouse and on their home PCs!
- Open WiFi - Health care providers often use WiFi networks to enable their medical staff to work efficiently and accurately as they go from patient to patient. But these WiFi networks are not always as secure as they should be - making it possible for intruders within a certain radius of the facility to break into sensitive files.
- Social Engineering - The oldest trick in the criminal handbook is the con, often referred to these days as 'social engineering.' As with any organization, criminals can trick healthcare employees into giving them access to sensitive information - often by pretending to be from the IT department, an authorized third-party vendor, supervisor or fellow employee.
- Insider Access - Rogue employees are another legitimate threat to a person's medical records. In most cases, healthcare employees that are responsible for a data breach are doing so to 'get even' with their employer or co-workers. Employee mistakes, like allowing an unauthorized outsider to view a medical record or leaving a file open on their computer, also jeopardize patient privacy.
- The Cloud - One of the future threats to patient records is likely to be found in the cloud. According to the Ponemon study, 62 percent of healthcare organizations are moving their patient health records to the cloud - but only 30 percent are confident they can adequately protect that information from thieves.
The most frustrating aspect of medical record theft is that patients feel powerless to stop it. While it is hard for the average person to protect their electronic records, there are a few helpful steps you can take: first, ask your insurer for a copy of your medical records and patient activities (EOB statements) in the last year; make sure your healthcare provider has implement the FTC's red flags rule; review all medical bills closely; and get a free annual credit report. You can also monitor large healthcare data breaches by visiting the U.S. Department of Health & Human Services' breach notification site.