Patients' Medical Records Under Threat From Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://abcnews.go.com/Health/wireStory/patients-medical-records-threat-data-breaches-30308023


Your private medical information is under threat. That's according to a
study that found almost 30 million health records nationwide were involved
in criminal theft, malicious hacking or other data breaches over four
years. The incidents seem to be increasing.

Compromised information included patients' names, home addresses, ages,
illnesses, test results or Social Security numbers. Most involved
electronic data and theft, including stolen laptops and computer thumb
drives.

The study didn't examine motives behind criminal breaches, or how stolen
data might have been used, but cyber-security experts say thieves may try
to use patients' personal information to fraudulently obtain medical
services.

Cases that didn't involve malicious intent included private health
information being inadvertently mailed to the wrong patient.

Hackings doubled during the study, from almost 5 percent of incidents in
2010 to almost 9 percent in 2013. Hackings are particularly dangerous
because they can involve a high number of records, said Dr. Vincent Liu,
the lead author and a scientist at Kaiser Permanente's research division in
Oakland, California.

"Our study demonstrates that data breaches have been and will continue to
be a persistent threat to patients, clinicians, and health care systems,"
Liu said.

The study appears in Tuesday's Journal of the American Medical Association.

A JAMA editorial says there's evidence that the incidents are leading some
patients to avoid giving doctors sensitive information about their health,
including substance abuse, mental health problems, and HIV status.

"Loss of trust in an electronic health information system could seriously
undermine efforts to improve health and health care in the United States,"
the editorial said.

Patients should be alert to cyber threats, including "phishing" emails from
hackers posing as doctors, hospitals or health insurance companies, said
Lisa Gallagher, a cybersecurity expert at the Healthcare Information and
Management Systems Society.

Those messages require clicking on a link to get information, and patients
should instead should call the purported sender to verify whether the email
is legitimate, she said

Patients should also double check doctor bills and other insurance company
information.

"Don't throw away your explanation of benefits. Take a look at them,"
Gallagher said. "If you see care that wasn't provided to you, or dates and
names of providers that don't make sense, go to the provider and report
that."

For the study, Liu and colleagues analyzed an online database regulated by
the U.S. Department of Health and Human Services and containing mandated
reports of breaches in health information protected by federal privacy law.

Over the four years, 949 data breaches were reported across the country.
The numbers climbed annually, from 214 in 2010 to 265 in 2013. Nearly 60
percent involved theft.

Prominent cyberattacks affecting two health insurance giants happened after
the study. Last May, a data breach hit Premera Blue Cross, affecting about
11 million customers and others. And between last December and late
January, hackers accessed an Anthem Inc. database with information on
nearly 80 million people.

Authorities believe hackers in China may be behind both attacks, Gallagher
said.

She said cybersecurity is among key topics at her nonprofit group's annual
meeting this week in Chicago. Members include doctors, hospitals, health
plans and sellers of electronic health record products.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!