How to recover from a health care data breach
In July, Iowa-based hospital and clinic system UnityPoint Health alerted 1.4 million patients that their personal information may have been compromised, after hackers used phishing tactics to break into its email system. The attack may have exposed patients’ personal data, including diagnoses, types of care, and financial information.
Earlier this year, criminals broke into offices belonging to the California Department of Developmental Services and ransacked files, stole property, and ignited a fire. While the agency said it had no evidence that personal or health information was compromised, it noted that the trespassers had access to more than 582,000 health information records in the building.
READ MORE FROM ‘NO PANACEA FOR MEDICAL CYBERSECURITY’
Why health care cybersecurity is in ‘critical condition’
Triaging modern medicine’s cybersecurity issues
Ransomware attacks against hospitals: A timeline
How weak IoT gadgets can sicken a hospital’s network
Opinion: Who foots the bill for medical IoT security?
To prevent EHR breaches, stop using them (Q&A)
Health care data breaches are ubiquitous today—and trending up. According to a HIPAA Journal report, more than 2,100 data breaches occurred between 2009 and 2017, resulting in the theft or exposure of more than 175 million records. That’s the equivalent of affecting more than 50 percent of the U.S. population.
This year, between April and June, more than 140 health care data breaches were reported, impacting 3.14 million patient records—three times the number reported in the first part of the year, according to a report from Protenus Breach Barometer. And medical records command a high value on the Dark Web, where they are listed for up to $1,000 each, 10 times more than the average credit card breach data record.
That’s because there’s more personal information in health records than any other electronic database.
“Unfortunately, American health insurance companies have information that most other countries don’t have to deal with, such as payment information and Social Security numbers,” says Chet Wisniewski, principal research scientist at Sophos. “I haven’t seen evidence that health care providers are being targeted by hackers to steal this information, but if there is a common mistake or vulnerability in their security, it certainly could make them a profitable target.”
“Even though we’re talking about health care information, there’s a lot of personal and demographic information that could have been compromised, which would allow someone to open credit cards or perform other financial activity in your name.”—Matt Fisher, attorney, Mirick O’Connell and chairman, Health Law Group
The prospect of big Dark Web profits is making personal health care data an increasingly popular target for cybercriminals, says Matt Fisher, a health care lawyer at Mirick O’Connell and chairman of the Health Law Group.
With stolen credit card information, a criminal might rack up a few purchases quickly before the card is reported stolen. With stolen medical information, he could create a false patient identity, and bill health insurance organizations such as Blue Cross or federal programs such as Medicare for services that might look legitimate. Such insurance fraud could go undetected for a significant period of time.
“When it comes to fraud detection in health care, it’s what we call a pay-and-chase model,” Fisher says. “The money is paid out, someone identifies a breach, and [the insurer tries] to somehow get the money back. By that time the issue is detected, the cybercriminal is long gone. It’s a retrospective type of review.”
Consumers, frustratingly, don’t have many options to protect their personal health care data, Fisher says.
“Protections happen at the organizational level,” he says. The Health Insurance Portability and Accountability Act “establishes standards, in terms of what should and shouldn’t be done, but HIPAA is only a foundation…If all that health care organizations are doing is complying with HIPAA, frankly, their security standards won’t be sufficient.”
HIPAA, for example, identifies encryption as an “addressable” element, which means that organizations could determine that encryption is not needed, even though most security standards committees today expect encryption, Fisher says. The law also includes requirements around how to restrict access to a system and control what users can do, but it does not include specifics about the programs to implement or best practices for detecting inappropriate activity, he says.
“Unfortunately, American health insurance companies have information that most other countries don’t have to deal with, such as payment information and Social Security numbers.”—Chet Wisniewski, principal research scientist, Sophos
While you can’t personally prevent a health data breach from occurring, you can take steps to minimize how much a breach can affect you, Fisher says.
- Monitor your credit
If you receive a data breach notice from a health care organization, take advantage of the credit-monitoring assistance they might provide, Fisher recommends.
“Even though we’re talking about health care information, there’s a lot of personal and demographic information that could have been compromised, which would allow someone to open credit cards or perform other financial activity in your name,” he says.
Credit-monitoring services will track changes made to your credit report, such as identifying when a new credit card or loan is opened under your identity, flagging unusual account activity, and noting address changes, which criminals may do to assume greater control over your finances. And credit freezes will be free to U.S. consumers after September 21.
You should also check your credit reports from each of the three major credit bureaus—Equifax, Experian, and TransUnion—and place fraud alerts or credit freezes on your accounts, Experian advises.
- Alert your health insurance company
If you are aware of a health care data breach that may have affected you, alert your health insurance company so it can be on the lookout for unusual activity, Fisher advises.
“Theoretically, if something out of the ordinary occurred, in terms of health care services that were attempted to be [fraudulently billed], alerting your health insurance company could be a means to get that activity flagged,” he says.
You should also closely review your health insurance statements for services that weren’t rendered. “You can’t always rely on others to find the issues and correct them on your behalf,” Fisher says. “You need to be proactive.”
- Request a copy of your medical records
Periodically, request access to and review your own medical records, Fisher advises. Look for discrepancies, such as a doctor’s office visit that never happened, or procedures and prescriptions that weren’t authorized for you and your family, Experian adds. Those are red flags that someone may be fraudulently using your health data—including your insurance policy numbers—to receive insurance payments.
“Contact each doctor, clinic, hospital, pharmacy, laboratory, health plan, and location where a thief may have used your information,” a Federal Trade Commission article advises. “If a thief got a prescription in your name, ask for records from the health care provider who wrote the prescription and the pharmacy that filled it.”
Reviewing your medical records is a best practice, whether or not your data has been breached, Fisher says. “It’s human nature that errors pop up, and if you can catch them, it’s all the better—particularly if your data has been compromised.”
- Monitor your accounts for the long haul
While you may know whether your health care information was part of a breach, it could be years before you know how it impacts you, Fisher says.
“If someone has stolen your information, you’re probably not going to find out about an issue until something happens, or it trickles back, potentially years later,” he says. It’s important to regularly monitor your accounts and information for suspicious activity, he adds—not just immediately following a breach, but also for the foreseeable future.
“It’s really just a matter of when—not if—a breach is going to happen,” Fisher says. “Be ready to respond when an issue arises so you can cut off any harm as quickly as possible.”