Thanks to a weak password, a hacker from Eastern Europe penetrates the computer server of the University of Utah’s Department of Technology Services where he steals 280,000 patients’ and insureds’ Social Security numbers. In Illinois, data thieves gain access to The Surgeons of Lake County’s computer network and the Social Security numbers, credit card numbers and the medical information of their patients.
The hackers encrypt the data, making it inaccessible to the physicians, and post an electronic ransom note demanding payment for the password. The physicians refuse to pay, shut down their server and inform the FBI.
Healthcare Data Breaches Reach Epidemic Levels
If you think healthcare data breaches like these are rare events, think again. In a 2011 report, Symantec found that healthcare experienced more data breaches than any sector – an astounding 43 percent of the total.
The major causes were loss or theft of data, external attacks, negligent or malicious insiders and outdated technology. During the past three years, 21 million healthcare records have been compromised, according to the Department of Health and Human Services.
Unencrypted Electronic Medical Records Are Easy to Steal
Why the huge uptick in data breaches? Experts point to the advent of electronic health records, mobile devices and the consumerization of IT as the chief culprits.
Lured by the promise of big cost savings, better healthcare and billions of dollars in federal incentives, physicians and hospitals are racing to convert their medical records to digital files. And physicians and other healthcare employees are increasingly using unencrypted mobile devices to store and transmit patients’ sensitive information.
The bad news is that many healthcare providers have failed to implement mobile data breach protection policies. The 2011 Ponemon Institute’s Survey on Patient Privacy and Data Security found that 49% of the companies surveyed do nothing to secure the mobile devices used in 80% of healthcare organizations.
That violates the Health Insurance Portability and Accountability Act (HIPAA) which requires healthcare companies to do a risk analysis of privacy protection procedures they use to safeguard patients’ electronic personal health information. Given that cavalier attitude about patient privacy protection, it’s not surprising that healthcare data breaches from unencrypted devices rose 97% between 2010 and 2011, according an analysis of HHS data by the security audit company Redspin.
Paying the Price for Exposing Patients’ Sensitive Information
Healthcare data breaches come with a whopping price tag. A 2011 Ponemon Institute study sponsored by ID Experts found that they cost the healthcare industry an average of $6.5 billion annually in fines and notification and litigation costs. Case in point:
This fall, the Massachusetts Eye and Ear Infirmary agreed to a $1.5 million settlement with HHS due to the theft of an unencrypted personal laptop containing electronic protected health information of its patients and research subjects. In a press release, HHS had this to say about the breach: “In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices.”
It’s worth noting that if the stolen laptop had been encrypted, the hospital would not have been required to report the incident. That’s because the HITECH Act doesn’t classify the loss of encrypted data as a data breach.
Patients Are Fighting Back Against the Loss of Their Privacy
Meanwhile, patients across the country are going after healthcare organizations who’ve failed to protect the confidentiality of their data.
In California, two patients filed a class action lawsuit against St. Joseph’s Health System for exposing the unencrypted personal and medical information of about 31,800 patients online due to incorrect network security settings. Although patients’ Social Security numbers, addresses and financial data were not disclosed, the California Confidentiality of Medical Information Act (CMIA) establishes nominal damages of $1,000 per victim for the wrongful exposure of private data. If the plaintiffs in this case prevail, St. Joseph’s could end up paying damages of $31.8 million.
Rx for Protecting Healthcare Information
For healthcare organizations and the patients they serve, the stakes couldn’t be higher. Patients need to understand that privacy protection is a basic right that’s being challenged as their medical records are digitized and access to them on mobile devices increases. They need to ask their healthcare providers how they protect confidential patient information.
Healthcare organizations responsible for handling electronic health data should realize that their employees may use mobile devices to access and transmit that data, even when company policy forbids it.
ID Experts offers these 13 Security Tips to Combat Mobile Threats:
Finally, although encryption of healthcare data is critical, it isn’t all that’s needed to protect it from theft. Endpoint encryption doesn’t protect patient information when it’s being exchanged over a network or when a mobile device is in use at a Wifi hotspot. That’s when you need a personal VPN like PRIVATE WiFi™. Virtual private networks encrypt the information traveling to and from your mobile device which makes it invisible to hackers.