“Data Breach”: The two words that can sink any healthcare organization.

You may have noticed more stories about healthcare data breaches in the news. There are actually a lot of healthcare data breaches occurring (some estimates say at least one each day). It is important to keep in mind the different types of breaches: some are done by hackers and some happen on accident or by basic mistakes. Some breaches never impact the members whose data was not protected.

This article provides a high-level overview of the volume of healthcare breaches in general and also looks at recent Medicaid data breaches.

The most high-profile healthcare data breach so far has been the Anthem 2015 breach. Hackers successfully used a phishing email attack to get the names of members prescribed HIV drugs. That breach lead to Anthem paying out $16M to settle the violations.

If you are interested in checking out the ongoing list of US DHHS breach investigations, check out-

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

The pervasive data security problem in large healthcare systems

According to Annie Qureshi with healthworkscollective.com, “One in four Americans has been a victim of a healthcare breach at some point.”  In 2017 report, there was on average at least 1 breach per day throughout the entire year affecting a total of 5.579 million patient records.[1]

A key finding from the report showed “more patient records were breached by insiders with malicious intent than by insider-error”.  Healthcare organizations are indicating more incidents of ransomware and malware.

In November 2018, CMS confirmed that it was the victim of a data breach on the Marketplace system used for agents and brokers.  The government agency said “the breach allowed ‘inappropriate access to the personal information of approximately 75,000 people who are listed on Marketplace applications.’”[3] According to CMS, the breach occurred in a system used by one of the brokers who sell on the exchange, and no federal systems were impacted.

A quick review of recent Medicaid data breaches

The HHS Office of Inspector General regularly reviews state Medicaid programs for vulnerabilities related to Medicaid data security. In the most recent series of audits (2018), OIG found that Maryland, Virginia, New Mexico, Alabama and North Carolina all had weaknesses in their systems and control processes that could lead to data breaches.

OIG also reviews trends in Medicaid data breaches. In an October 2018 report, OIG released data on breaches that occurred in 2016. There were 1,260 Medicaid data breaches. Most of them only involved the data of a few people (66% of breaches were just for one person’s data). 1% of all breaches involved 500 or more members’ data.

Most of the breaches were from mistakes in handling the data (as opposed to hacking). Typical mistakes include things like sending a letter with protected health information (PHI) to the wrong address.

 

Image source: HHS Office of Inspector General

There have been several large data breaches in Medicaid programs in the past several years. The table below provides a snapshot of some of the larger ones.

It could be even worse than we realize today

The issue may be far greater than realized because many organizations outside of healthcare are not aware their systems contain healthcare data.  Many companies have wellness programs which contain protected health information.  Companies also have workers’ compensation claims and employee records, both of which contain healthcare information.

A new area of risk in healthcare security breaches lies within actual medical devices.  In addition to accessing medical data, “unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” says Russell Branzell, President and CEO of (CHIME) College of Healthcare Information Management Executives.   “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected.”[1]

What this means for your members and patients

If the thief’s health information gets mixed with your members, their treatment, insurance records, payment information and credit report could be affected.  When hackers steal member health data, they can use that information to apply for loans, apply for government benefits or obtain credit cards in their name.

According to Data Breach Investigations Report (DBIR) from Verizon, Suzanne Widup, lead author for Verizon Enterprise Solutions report states “Many organizations are not doing enough to protect this highly sensitive and confidential data which can lead to significant consequences impacting an individual and their family and increasing healthcare costs for government, organizations and individuals.”    She also highlighted “Healthcare organizations need to realize that patients trust them with their data and if that trust is broken, the implications can be huge.”  The report pointed out someone might not be willing to fully disclose information that could delay a diagnosis of a communicable disease which in turn delay treatment, and ultimately more individuals could be affected.

Healthcare is private and highly sensitive. According to Healthworkscollective.com “when an individual’s health history or current treatments are exposed through a healthcare data breach, it’s one of the most violating types of data breaches one can encounter.”   It is now the most sought after and most targeted data to hackers because of the comprehensive amount of information collected and maintained within a patient’s record.

Reach out today for help with your data security plan

Here at Paragon, we take data management and security seriously. Our solutions and approach are continuously enhanced to adapt to evolving nature of healthcare data breach risks. Reach out today to find out more about our data security and data governance solutions.

Subscribe to our monthly newsletter to stay up-to-date on all the latest in healthcare data management.

Recent Posts

Big Data? So What?

What good is “Big Data” if you can’t make any sense of it? Just because the go-live date of a giant new system is when the builders get paid, does that mean turning it on is the ultimate goal? Or is there more to “Big Data” than size and speed? We should evaluate and...

read more