As Data Breaches Spread, Providers and Payers Must Prepare
The actions taken by an organization in the days, weeks, and months after a security breach can mean the difference between recovery and organizational failure—whether the breach is a result of criminal activity or "good people doing stupid things."
Three words healthcare executives dread hearing—"we've been hacked"—are reverberating in hospitals, health systems and physicians groups with growing frequency.
Larry Ponemon, PhD
Just last week, Boston-based Partners Healthcare notified 3,300 patients that some information including names, addresses, dates of birth, telephone numbers and Social Security numbers and clinical information had been leaked to hackers. In February, the country's largest insurance company, Anthem, announced that 80 million member and employee records had been breached.
Most organizations will experience a data breach at some point, says Elizabeth Hodge, of counsel at Akerman LLP, a lawyer representing a variety of healthcare organizations in compliance-related matters from her firm's West Palm Beach office.
"If you are a healthcare entity, you should anticipate that you will have breach of unsecured health information at some point," she says.
The Ponemon Institute, a data security research and consulting firm, found in its annual benchmark study that healthcare providers experience frequent data breaches involving the loss, even the theft, of patient health information.
About 90% of healthcare organizations were found to have had a data breach within the last 24 months. "These are not like Anthem," says Larry Ponemon, PhD, the firm's founder and chairman. "We're talking, 10, 20, maybe 100 individual records [involved]." While the numbers of patients who have had personal data leaked might not be as high as a massive breach like Anthem's, the implications for those people are no less troubling.
Social security numbers, credit card information, and other private data is valuable. But the "crown jewel" for a data thief, Ponemon says, is a full medical record, which can fetch a criminal as much as $250.
Frequently, the information is used to impersonate the victim or set up a fake identity. A full chart with headers contains personal data, payment information, and often social security numbers which can be used to obtain medical treatment.
"This kind of crime is on the rise. These criminals use medical credentials to get healthcare and pharmaceutical products. We've seen them get cosmetic surgery, scooters, all kinds of treatments," he says.
Organizations are often taken by surprise. "A lot of providers are unable to know with precision whether they've had data breach, or if data has been lost or stolen," Ponemon says. While some breaches are due to malicious intent, data is often lost due to a glitch or error, which are unlikely to be reported.
And even when IT or security is aware of a breach, the news doesn't always make its way up the ranks to the organization's leadership.