Your Medical Records are Vulnerable. Now What?
Cyber theft and system breaches are on the rise. Here's how to protect yourself.
The stack of mail was like the mail on any other day: a few bills, a few pieces of junk mail, a couple of letters. I didn’t think anything of it as I opened the envelope addressed to me from my medical provider.
The letter inside, however, startled me. It was addressed to another patient with his lab test results, a violation of HIPAA, the 1996 federal Health Insurance Portability and Accountability Act, which aims to protect patient privacy.
I quickly informed the doctor of the mistake and shred the letter without reading it. But the incident made me wonder if any of my own medical details might be in the hands of someone else.
Consumers, beware. Identification and medical theft are almost as certain as death and taxes these days. Since the advent of digital technology to replace paper records, we now face a greater risk of medical data breaches.
Implemented in 2009, HIPAA requires health care providers and their vendors to implement strong data security measures. It has been a costly and slow process. Yet even with strict measures in place, malicious insiders with access to medical files, billing and insurance records, plus tech-savvy hackers, often outsmart the systems. This puts us all at risk for identity theft.
The U.S. Department of Health and Social Services reports that 11.7 million individuals were affected by compromised medical breaches in 2014. That number spiked to 112 million in 2015. These numbers do not even reflect breaches affecting less than 500 people per incident.
The numbers are staggering. Massive compromises at Anthem and Premera alone put a combined 90 million records in harm's way. HSS reports that breaches include improper disposal of patient records, theft of laptops, lost patient papers and films, unauthorized access to emails and records, lost or stolen laptops with unencrypted patient health information, and hacking of network servers.
During the past decade the shift has been from accidental to intentional. Criminal attacks in health care are up 125 percent since 2010 and are now the leading cause of data breach, according to a recent study by Ponemon Institute, a private security "think tank" in Traverse City, Michigan. The firm is dedicated to advancing privacy and data protection practices.
Personal health information is vulnerable and valuable. In addition to private medical information, addresses and Social Security numbers are coveted information for hackers who want to steal someone’s identity. And recovering that identity can be costly and dangerous. The Medical Identity Theft Alliance says that more than 60 percent of medical fraud victims had to pay an average of $13,500 and spend, on average, 200 hours to resolve the crime.
Ponemon researchers report up 2.32 million individuals were victims of medical identity theft in 2014. Surprisingly, consumers contributed to those statistics by sharing personal information or medical credentials with family members or people they know, often because those people didn’t have insurance. In other cases, consumers provided personal information to fake emails or spoofed websites, referred to as phishing attacks.
Most often, medical credentials were stolen to obtain treatments or services, prescription pharmaceuticals or medical equipment or to receive government benefits, including Medicare or Medicaid.
Some records were accessed or modified to open fraudulent credit accounts. For some victims of medical ID theft, the consequences have been insurance claims denied, maxed out benefits, loss of health insurance, out-of-pocket payments, diminished credit scores, missed career opportunities and loss of employment.
"The damages can be life-changing when Social Security numbers are compromised," said Adam Levine, a nationally known expert on ID theft and credit, and a co-founder of credit.com. "Social Security numbers are the skeleton key to not only financial life but also health care and many other aspects of daily living."
A patient’s medical history is important for correct treatment, accurate medical dosage and recovery. With compromised records, accurate medical information, family medical history, patient treatment or neglect of treatment could be deadly.
Are the number of breaches accurate? "The numbers are colossal because hackers are everywhere and social media companies look at everything we do," said Mark Weinstein, chief executive officer of Internet security firm Sgrouples and founder and CEO of MeWe, a private next-generation social network.
"It’s a war on privacy. Social media sites like Facebook, Google, Amazon, and data brokers are spying and tracking us everywhere. Personal information is a treasure trove," said Weinstein.
"Technology doesn’t have any moral compass, so technology runs on its own trajectory. Hackers wear business suits, the Chinese and Russians are hacking, bad guys are hacking." Even the U.S. government gets hacked. Hackers often sell information to data brokers and to the highest bidder.
The next time you google that health symptom, know that your search is being tracked. Web browsers and data collectors are outside the HIPPA law. So is your Fitbit and similar devices that track your health information, said Weinstein.
"Add it all up and you get a huge amount of useful medical information," he warned. "It’s available to everyone and anyone through a public online search. Monitoring your health and collecting data is like publishing your own medical autobiography online."
The realization that your privacy may be raided and your identity stolen is enough to make you sick and cautious. But instead of being terrified or anxious, get a grip on your actions and be alert. Take control.
Levine of credit.com recommends the three Ms: minimize, monitor, manage.
1: Stop using publicly available WIFI sites. Use your Internet provider or cellphone.
2: Use cash when you can.
3: Sign up for transaction monitoring alerts from banks, credit unions, credit cards.
4: Stop using familiar passwords.
5: Monitor bank transactions and report suspicious activity .
6: Monitor your credit report regularly.
7: Check medical and insurance statements to match treatment with care received.
8: Stop registering credit cards on different Internet sites.
9: Use a single site entry like Pay Pal.
10: Do your taxes early to avoid falling victim to tax-related fraud.
11: Use social media that doesn’t track. Your data won't be fed into a mass data bank.