The Lowdown on Healthcare Data Breaches

Posted by Mark Greisiger

A Q&A with Michael Bruemmer of Experian
Healthcare is one of the single biggest areas for data breach and identity fraud, yet many people still don’t understand the gravity of the risks facing companies and consumers. To get a better handle on the specific risks and how organizations can better protect themselves, I spoke with Michael Bruemmer, VP of Data Breach Resolution at Experian.

What are some of the challenges in healthcare in regard to data breaches right now?
I think there are three big ones: First is HIPAA and HITECH, which have really put pressure on industry. For the most part, healthcare entities, particularly individual doctors and smaller hospitals, would carry on with paper records if they were not pushed to digitize. So it has created a lot of pressure to not only get those records in order, but to make them accessible. All of this has made for challenges with regards to protecting medical records from data breaches. Number two is that the use of those records is not a single handoff—there are multiple exchanges between the patient, the provider, the processor of the payments and the insurance companies involved, so it’s a complex system. Consulting an attorney who can help you better understand these laws is a good idea. Under the law, whether you’re a covered entity or business associate you have to take the same level of care in handling those records, including business records and actual medical records like x-rays and blood work. The third thing is employee training. Employee negligence is still a leading cause of data breaches in the United States. Given the fact that some large hospitals employ upwards of 15,000 to 20,000 people, this means dealing with large networks for training, not to mention policy and enforcement of the training.

What makes a healthcare data breach different from a data breach in another industry?
I touched on HITECH and HIPAA in the first question, but the laws we are operating under now were created in August 2009. We’re still waiting for the final rule to be published, so that puts us in a unique position. There are requirements to protect information from a security and compliance perspective and companies also have to have a data breach response plan in place, and not only for what is called the covered entity but also for any subcontractors or vendors they use. There are 46 different state laws for notification in the case of a healthcare data breach, with varying requirements. California is the most stringent, for instance, and they require that you have to notify consumers within five business days. In most of the other states it’s 60 days. If you’re a healthcare entity you have to have a compliance officer privacy officer who knows these laws and knows how to protect all of the health records and information.

What are some of the recommendations you would make to healthcare entities in preparation for a data breach?
First of all, gain an understanding of the law by speaking with an attorney who specializes in healthcare law. These days, you’ve got to have a deep understanding of HIPAA and HITECH. Second is to invest in the security compliance, starting with the planning and training of your organization and the people related to the laws and those requirements. Included in that investment—I really focus on this one—is that you actually have to practice your data breach response plan like it’s a fire drill so that people know what to do and everything is coordinated the way it should be. The third thing is making sure you have independent professionals on the team such as outside legal counseling, a forensic specialist to track the source of the breach, and a notification call center.

How real is Medical Identity theft?
A 2011 study from the Ponemon Institute quotes the annual economic impact of medical identity theft at $30.9 billion. A year earlier, Ponemon found that 1.42 million people were impacted by medical identity theft. Medical or healthcare ID theft represents 40 percent of all data breaches that have been published. On the black market sites where you can buy and sell identities, a Social Security number costs one or two dollars, whereas someone’s full identity, including medical insurance and other medical information, is worth about 50 dollars. The value is in being able to use the services. And the people who are trading this information are getting more money for medical information.

What types of things can happen to victims of Medical Identity theft?
If someone steals your medical identity, the financial impact takes a while to clean up, but that’s not the worst of it. It can literally be a life and death risk. Let’s say you’re a hemophiliac and someone steals your medical information and gets services provided to them, including an operation where they are given blood thinners. That gets put into the records. So then you come in needing a surgery and they give you a blood thinner and you end up having huge complications. You could also have denial of service if someone stole your medical ID—if you go to the emergency room and they see flags on your account from other providers, they can’t deny you that immediate coverage but they could deny you some services because you have unpaid bills that someone rang up on your behalf. That’s not even counting the costs: If you accept the numbers from the Ponemon Institute study, billions of dollars of medical identity theft trickle down to consumers who have to cover the costs of insurance. Medical Identity theft is a very real and significant problem.

In conclusion…
NetDiligence recently conducted its second annual Cyber Liability & Data Breach Insurance ClaimsCyber Liability & Data Breach Insurance Claims study, which again reinforced that the healthcare sector is incurring a large number of data breach incidents and cyber liability insurance claims for same. Mr. Bruemmer did a nice job of summarizing some of the many risk exposures we see facing our customers in this sector, such as strict and changing state and federal privacy laws; emerging e-health record sharing platforms that increase opportunities for events; and causes of loss such as vendor and business associate mishaps, as well as negligent employees.