In April 2014, the FBI reported that the average value of a stolen medical record was $50. At the time, privacy consultants nationwide derided the FBI valuation as a “kind estimate.” NPR decided to dig a little further; in 2015, they found a “dealer” who was selling medical records for about $470 each.
If you’ve been reading our posts, you’ll realize that:
Let’s talk about why all that matters: The threat to patient privacy, how patients are being affected, and why practitioners should care … even if the government does not.
THE DARK NET DEFINED
Beneath the internet you use every day, there’s a hidden underbelly that is home to rogues, criminals and political activists. This ‘dark net’ is accessed only via specially designed anonymizing software. It’s a secretive place, full of illicit, underground activity. Some of that activity involves buying and selling stolen medical records.
Why, many practitioners ask, would anyone want to buy a patient file? The answer goes far beyond bank, credit card and income tax fraud … although those are certainly motives. More and more often, the charts with greatest value belong to kids (because the identities can be exploited far longer, and because there’s usually no credit report whistleblowing to worry about) and pain management patients. That’s right: Charts are being stolen for prescription data that can be harvested and sold to drug dealers. The scripts are then filled and the drugs sold on the street.
What this means is that every pediatric medical and dental practice and every pain management operation ought to be on high alert. The sad fact is that most aren’t.
VALUE OF MEDICAL RECORDS
An easy prediction: The $470 that can be charged for a single medical record will increase (and probably has already, since NPR’s cursory ‘dumpster diving’ was just that) and for criminals, the temptation to commit data breaches will skyrocket as well.
For most practitioners, however, a genuine problem arises only after patients find out their medical records have been hijacked. You’ve likely met someone who’s had their income tax return claimed by someone else. A friend might have refilled a prescription and found her script had been red-flagged. You may even come across someone who’s kid’s medical identity was stolen and used in another part of the country.
If you know these folks, it’s a sure bet a doctor or dentist knows them too. Connecting the dots is the matter of a few minutes’ work. In a time when social media makes widespread communication of outrage an easy thing, how long will the average practitioner remain immune? The answer depends on the precautions the practitioner takes … and even then, the precautions may not be enough to stop determined, motivated cybercriminals.
Let’s set this in concrete: The Office for Civil Rights reports that there were well over 300 unreported healthcare data breaches during 2015. Over 100 of these undisclosed breaches actually came to light because of PHI in direct control of criminals. In other words, the breaches went unreported by the healthcare practitioner at fault, but criminals accessing and using the patient data made it plain to anyone who bothered to look that the data had been hijacked.
These ‘obvious’ breaches will mushroom into well over a thousand this year, several thousand next year, and tens of thousands the year after that. This is Moore’s Law (pun intended) for Data Breaches: When criminals find and exploit vulnerabilities in patient information security, their successes are repeated exponentially over time.
Even in small communities and remote parts of the country, patient data breaches will become public knowledge in the months ahead.
For smaller offices and solo practitioners, the key to preventing this nightmare scenario lies in server and workstation security. Medium-sized healthcare operations should look to Business Associates and other ‘legitimate’ ways in which patient data can be accessed by the wrong people. Hospitals and larger organizations should focus on awareness; in many cases, HIPAA training has gone by the wayside after 20 years and employees are blithely unaware of the risks to patient privacy.
While HIPAA violations are not individually actionable – that is, a single patient cannot sue a healthcare provider for violating the patient’s right to privacy – class action lawsuits for negligent handling of healthcare records are becoming more and more common. Attorneys are realizing the prospective ‘gold mine’ of privacy violations (even if the government has not) and are using social media to band together groups of affected patients and seek redress from healthcare providers.
The social media and class action scenarios are the result of the burgeoning threat to patient privacy. The trick, after 20 years, is getting practitioners to pay some attention.
 “Blithe disregard” is probably a better term. A friend wanted to keep a recent surgery private. Her spouse went to work the day after the operation and was confronted by a coworker asking about his wife’s surgery. The coworker’s wife worked in the hospital lab, analyzed the specimen taken during the operation, and reported the results to her husband. The coworker’s wife could not understand why my friend and her husband complained to the hospital … and, perhaps unsurprisingly, neither could the hospital CEO. This incident took place at Memorial Hospital in Belleville, Illinois.
HIPAA@20: A FIVE-PART SERIES
In this five-part series, we’re taking a close look at HIPAA@20 … examining what’s changed, what remains the same, and why small practices remain at risk. We’ll also make some educated guesses about what the future holds for patient privacy regulation, data safeguards, and the threats practitioners and patients will face.
For the entire five-part series, HIPAA @ 20, register here.