We’ve reported extensively on medical data breaches, but a new ABC News investigation has revealed startling information that our “private” medical records are, data breach or no data breach, just not private.
How can this be?
Turns out there is a growing “black market” where millions of records can be bought online. Because so many people in a healthcare setting have access to online patient records, the entire system is vulnerable to theft.
A security IT specialist with Allegheny Digital named Greg Porter told ABC News that it takes two clicks of a mouse on Google and anyone can find somebody willing to sell a “data dump” of patients. A data dump, for example, may include personal information such as patient names, birth dates, Social Security numbers, insurance provider, and other confidential details.
Another risky issue is the explosive growth of cloud-based, online medical records. There are at least 255 health information exchanges across the United States so far, including 17 each in New York and Texas, 12 in Florida, and 10 each in California and Michigan, and that number is increasing at a steady clip, according to Identity Theft 911 cofounder Adam Levin.
He says the growth is spurred by two reasons: first, medical professionals receive federal grants for updating their systems; second, there are some obvious efficiencies in a cloud-based, paper-free environment.
Levin raised the following issues in a recent editorial:
“As our society moves toward digitization and sharing of a wide range of extremely sensitive data, it is essential that we find approaches to information security that rest on a solid foundation — that are capable of enabling technological and social advances while protecting both the privacy of individuals and the security of our institutions.”
It turns out that our sensitive health information is available to anyone who works in that healthcare setting or has access to the online medical records.
Our expectation is that records remain private under the Health Insurance Portability and Accountability Act (HIPAA), but the reality is that any physician’s notes could be accessed by doctors and other healthcare providers who work in the same healthcare system.
Unfortunately, more than 3.5% of the U.S. population has had their personal health information (PHI) compromised, and due to egregious medical data breaches, some patients will put off seeking treatment, as they are concerned about the unintended consequences suffered if their PHI becomes compromised.
And last May, the Department of Health and Human Services announced a $1.5 million settlement with Blue Cross Blue Shield of Tennessee after the company’s inadequate security measures allowed 57 unencrypted hard drives containing private health information to be stolen from a medical facility.
The unencrypted hard drives contained the protected health information of over one million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers.
If you believe your information was used or shared in a way that is not allowed under HIPAA rules, you can file a complaint with your provider or health insurer. The notice of privacy practices you receive from them will tell you how to file a complaint. You can also file a complaint with the Department of Health and Human Services’ Office for Civil Rights or your State’s Attorneys General office.