When you go to the doctor’s office or pick up a prescription at the pharmacy, you expect that your personal health information is kept private between yourself, your provider, and your insurance company. But while most consumers are aware of the security risks to their identity and financial information, few realize that their medical data is a hot commodity on the black market too. Not only are cybercriminals hacking into electronic health records, but medical providers and insurers share aggregated data with third-party companies on the secondary market where it’s again exposed to security risks.
What can consumers do about it? This guide will help you understand the risks and the actions you can take to protect yourself from medical data theft.
Medical Data Breaches and Ransomware Attacks Multiplying Rapidly
● “More than 32 million patient records were breached between January and June 2019. That's more than double the 15 million medical records breached in all of 2018, says healthcare analytics firm Protenus,” reports Engadget. Read more.
● “Black Book Market Research found 93% of U.S. Healthcare organizations surveyed were breached in the past handful of years. The research firm also found, not so surprising to those who have been paying attention, that more than half of those breached organizations were breached several times over those five years,” according to Security Boulevard. Read more.
Which Companies Have Access to My Personal Health Information
● HIPAA Journal states that “While federal rules are now being largely adhered to by healthcare providers, health plans, healthcare clearinghouses and BAs, medical records are perhaps not quite as private as many Americans believe. Data sharing is strictly controlled, but HIPAA Rules on data sharing also allow health information to be shared with other entities ... For instance, HIPAA Rules allow Protected Health Information to be shared with the government and law enforcement agencies.” Read More.
● The American Patient Rights Association reports that approximately 4 million businesses, many of which operate outside the healthcare industry, can access your health records, including employers, banks, financial institutions, marketers, and data miners, to name a few. Additionally, many health-related websites collect information about your medical history. Read more.
● ARS Technica: “Google quietly partnered last year with Ascension—the country's second-largest health system—and has since gained access to detailed medical records on tens of millions of Americans, according to a November 11 report by The Wall Street Journal … The move is the latest by Google to get a grip on the sprawling health industry. At the start of the month, Google announced a deal to buy Fitbit, prompting concerns over what it will do with all the sensitive health data amassed from the popular wearables.” Read more.
What Can I Do to Protect Myself? What Can I Do if My Medical Records Are Stolen?
● “Ask your doctors, healthcare facilities, and insurer how they share your medical information. Find out what type of information they share and with whom. If you don’t want this information shared, ask how you can opt out,” explains Pinnacle Care. Read more
● In addition to monitoring accounts and insurance benefit statements, AARP advises consumers to protect their insurance numbers the same way they guard their Social Security number, to shred medical paperwork after use, and to avoid sharing medical information on social media. Read more.
The Parallax: “If someone has stolen your information, you’re probably not going to find out about an issue until something happens, or it trickles back, potentially years later ... important to regularly monitor your accounts and information for suspicious activity —not just immediately following a breach, but also for the foreseeable future,” said Mirick O’Connell, attorney and chairman of The Health Law Group. Read more.
What Medical Practices are Doing to Protect Patient Health Information
● As Health IT Outcomes, notes “Obtaining Health Information Trust Assurance (HITRUST) certification has become a priority for healthcare providers and vendors. Since there is no true HIPAA (Health Insurance Portability and Accountability Act) certification, the only way to prove HIPAA compliance is to go through a 3rd party auditing authority with HITRUST.” Read more.
● "Organizations that are HITRUST certified have demonstrated that they have effective security and privacy practices in place that are in line with strict healthcare industry regulations like HIPAA (as well as all the requirements of the HITRUST CSF). Because covered entities may be liable for their business associates’ or subcontractors’ violations, a HITRUST certification serves as an additional layer of regulatory protection for healthcare organizations," reports Datica. Read more.
Unfortunately, it can be challenging for consumers to find medical providers who don’t share their medical data with third parties or expose it to other cybersecurity risks. However, by educating themselves and demanding greater privacy and security from their medical providers and insurance companies, consumers can create awareness and start pushing the needle toward greater data security in healthcare.
Image via Unsplash