News

Report: No End in Sight for Medical Data Breaches

Victoria Colliver

04/15/2015

April 14—High-profile health care data breaches, like the recent attack on medical insurance giant Anthem that compromised the personal information of as many as 80 million Americans, are on the rise and expected to increase with the use of new technologies employed by criminals, a study by Kaiser Permanente researchers has found.

From 2010 to 2013, the number of reported breaches—from the theft of a laptop with confidential patient information to employees walking off with patient files—involving more than 500 patients increased 23 percent, while those involving hacking or a technological glitch that exposed or could have exposed sensitive information doubled in that period, according to the study published Wednesday in the Journal of the American Medical Association.

What's more, the study estimates that more than 29 million health records were affected by breaches during that three-year period, but that number has already been dwarfed in the first three months of this year, researchers found.

Federal health privacy laws were created before electronic medical records came into wide use and fail to adequately protect the public's medical information. The researchers and an accompanying editorial called on health organizations and policymakers to improve personnel training and security measures.

Better health data security can't come too soon. In addition to February's Anthem breach, Premera Blue Cross, which operates in Alaska and Washington state, disclosed last month that hackers may have accessed the personal, financial and medical information for as many as 11 million customers.

"The reports of recent events ... drive home the need for health care data security to be a top priority," said Dr. Vincent Liu of Kaiser's Division of Research in Oakland who, along with colleagues, analyzed the figures from an online database maintained by the U.S. Department of Health and Human Services.

These health data attacks give hackers all the information they need to assume a patient's identity, launch targeted "phishing" attacks, clean out bank accounts and commit crimes under the victim's name, said Pam Dixon, executive director of the World Privacy Forum, an arm of a nonprofit public interest research group in San Diego County.

"What we have found with working with victims of medical identity theft is that most don't find out for about two years," Dixon said. "The sophisticated criminals who are committing these crimes are waiting to act on the data so there is less risk of being caught."

The security systems of many Bay Area health organizations, including Kaiser, UCSF, Stanford and John Muir Health, have been breached one way or another in recent years. Laptops have been stolen, flash drives have been lost, computer systems have been hacked into and employees have carelessly or intentionally violated security procedures.

In March, a judge tentatively approved a $4.1 million settlement of a class-action lawsuit involving as many as 20,000 Stanford emergency room patients whose medical information was exposed online for more than a year. The suit named Stanford Hospital & Clinics, along with two of its vendors.

Last month, San Francisco public health officials disclosed that a former UCSF doctor who worked at San Francisco General Hospital from 2005 to 2013 wrongfully removed copies of patient records from the medical center. The number of records involved has not been determined.

The Kaiser report didn't identify the institutions affected by the breaches by name, but it broke down the incidences by type. Hacking into secured electronic systems involved less than 10 percent of all reported cases, with most being the result of old-fashioned stealing.

"While incidents of hacking have garnered the lion's share of attention recently, the number of breaches resulting from simple theft of paper records or electronic data in portable electronic devices out of unsecured locations was much higher," Liu said. "Preventing these more commonplace breaches through improved data security practices is part of the solution."

The authors said in the paper they expect the frequency and scope of electronic breaches to rise given the rapid expansion of electronic health records as well as the increased use of cloud-based services for analytics, personal health records, gene sequencing and other health-related technology.

Despite the risks, these newer technologies have great practical and health advantages, so the emphasis needs to be put on reducing ways that patient data can be compromised.

"Leveraging information through technology, including electronic health records, means that doctors in hospitals have access to full health records where and when they need them and to have all of the information about all of the patients all of the time," Liu said.