Health care providers are a prime target for cyber breaches because of the financial and personal data they store on patients. There are numerous motives for bad behavior – for example, criminals could use combinations of information such as names, addresses, and Social Security numbers to commit tax fraud, or they could use sensitive medical data to extort money from victims.
Medical data breaches come in a variety of forms. Here are a few samples:
In October, two laptops were stolen from AMHC Healthcare, a hospital group in California. According to the Los Angeles Times, the laptops were in an office that was under video surveillance, and contained health information on 729,000 patients, including diagnosis and procedure codes and insurance identification numbers.
HealthITSecurity reports that a Pennsylvania doctor is suing a medical billing firm that lost his patients’ data. The billing firm in suing one of its vendors, who it claims is ultimately to blame. Though the incident happened in 2010, the data has yet to be recovered. It appears that patients involved have never been notified, possibly because the various parties who had custody of the data are blaming each other. This raises the question of whether HIPAA and other laws have been violated.
Medical records aren’t just stored digitally. There are plenty of paper records too, and they get into the wrong hands: KTVU reports that two women in California have been charged with stealing mail and other documents from medical facilities. Police discovered the documents after the two women tried to use a fake credit card to pay for a hotel room where the medical papers were being housed. Among the victims are patients at a cancer center.
In Georgia, thousands of pages of medical records recently turned up strewn across a busy road, reports WSB-TV. The papers were en route from a hospital to a shredding facility. The scene looked like “a blizzard of white paper.” A prison detail already in the area cleaning up roadside debris bagged the documents, which were then turned over to police.
Medical breaches happen all the time. The really big events – those that affect 500 or more individuals, must be reported to the US Department of Health and Human Services (HHS). Known as the “Wall of Shame,” HHS posts a list of all these incidents for the public to see.
Medical privacy and security breaches happen frequently, and can be very expensive to recover from. Even if robust security is in place, data can still get lost or stolen. The takeaway here is that every medical provider needs to have cyber insurance.
Fortunately, cyber insurance can be written to cover paper files, as well as digital files, and it is relatively inexpensive. There are many carriers competing for business, and that means insurance buyers are in a good spot to get an affordable policy with broad coverages.