U.S. Markets close in 3 hrs 50 mins

What to do if your healthcare records are compromised

Siemond Chan and Lisa Scherzer

A small hospital in Pennsylvania notified 1,800 patients last week that their names, medical records numbers, lab tests, and results and visit dates were compromised because of an employee’s mistake.

According to a report by Healthcare IT News, in April hospital officials discovered that a lab technician who was authorized to work with protected health information accessed patient data through an unsecure USB device on his home network, instead of on the secured hospital system.

The incident is just the latest in a lengthy string of data breaches that has caused health security to be labeled as “the Wild West” by one security expert.

If the massive Target and Neiman Marcus credit card breaches in the past year – and the possible credit and debit card breach at PF Chang’s today – haven’t raised concerns about getting your sensitive financial information stolen or email account hacked, medical identity theft just might.

While retailers have demonstrated a less-than-stellar track record when it comes to protecting consumer data, a report published by BitSight Technologies in May showed that health care and pharmaceutical companies fare even worse.

The firm, which rates companies' security effectiveness, used vast amounts of data on “observed security events, such as communication with a botnet, malware distribution or spam propagation” to analyze the security performance of companies in the S&P 500 stock index. It divided the firms into four industries: retail, finance, utilities and healthcare and pharmaceuticals. Its analysis revealed that, during 2013, 82% of the companies in the index suffered from a security compromise.

On a scale of 250 to 900 – with higher ratings equating to better security performance – the healthcare sector scored a 660, the lowest of the four groups. Finance was the highest at 782. BitSight said the healthcare sector saw the largest percentage increase in number of security incidents over the period studied (April 2013 to March 2014).

BitSight’s findings echo those published by the Ponemon Institute, which conducts research on data security. In March Ponemon found that 90% of healthcare organizations surveyed have had at least one data breach in the past two years. And 38% of those said they had more than five breaches, which is down from 45% last year – one of the few positive findings from the institute’s report. 

Healthcare systems – which hold troves of patient medical data as well as Social Security numbers, dates of birth and other information that could be used in identity fraud – are vulnerable to employee negligence, mobile device insecurity and plain old criminal cyber attackers, Ponemon said.

In another recent breach similar to the one in Pennsylvania, a computer at a research division of California health care provider Kaiser Permanente was found to be infected with malicious software, and involved more than 5,000 patients participating in research studies. There, too, patients’ names, birth dates, medical record numbers, and research-related lab results may have been compromised.

And earlier this year the Queens, N.Y., district attorney charged two hospital employees with illegally accessing medical records and personal identification information of emergency room patients, who were then contacted by attorneys seeking to solicit them as clients.
The repercussions associated with medical ID theft are the same for those with traditional ID theft, but there is an especially dangerous layer. Thieves can impersonate consumers and get medical treatment or procedures, while sticking you with the bill, or worse, corrupting your medical records – their health history, past prescriptions and blood type are in there instead of yours. This can result in life-threatening situations, where “your medical record can have things in it that don’t pertain to you,” says James Pyles, an attorney who works on health law and policy.
Another complicating twist in medical ID theft: Unlike with financial ID theft, in which consumers can contact the main credit reporting agencies to notify them about fraudulent activity, there is no central mechanism in place to remediate the issue, says Eva Velasquez, CEO of the Identity Theft Resource Center.


Yahoo Finance is answering your money questions on Tumblr! Got a question about your credit score, your student loans, your retirement portfolio, your health insurance, or anything else finance-related? Drop us a line: YFmoneymailbag@yahoo.com.