A new study by the Ponemon Institute found that a whopping 94 percent of polled healthcare organizations have suffered 'data breaches' that exposed patient records. That's a 65 percent increase since 2010-2011. Even worse, 45 percent of organizations reported they had more than five significant data breaches in the past two years. Less than half of these hospitals and clinics are confident they can prevent future data breaches or even know they took place.
Backing up this study is a 2012 report from the U.S. Department of Health's Office of Civil Rights, which found that in just three years, nearly 21 million patients became the victims of medical record data breaches.
If that doesn't scare you, it should. Electronic medical records contain such sensitive, personal information as medical diagnoses, treatments, insurance, payment information, Social Security Number and more. Losing a patient's medical record puts that person at risk of identity theft, medical identity theft and other crimes. And yet, in many cases, these records are probably less secure than a personal email account.
Why are so many patient records getting stolen? Here are eight reasons why your personal health records are at risk:
- Hackers - Cyber attacks are on the rise everywhere, but especially when it comes to electronic medical records. Attacks on the computer servers of hospitals, universities, private clinics and health departments are increasing - they now make up 33 percent of all medical record theft, up from 20 percent just two years ago. Unfortunately, healthcare organizations often don't have the best security when it comes to their computer networks - which makes it relatively easy for hackers. Here are just a few of the medical record hack attacks from last year: 780,000 patient records stolen from Utah Department of Health; 315,000 records from Emory Healthcare; 228,000 records from South Carolina Department of Heath; 116,000 records from Alere Home Monitoring, Inc.; 102,000 records from Memorial Healthcare System Florida; 66,000 records from Howard University Hospital - and the list goes on and on.
- Lost or Stolen - Most of the time, however, it doesn't take a high-tech criminal to get patients' medical records - in 46 percent of data breach cases, an employee laptop is simply lost or stolen. It's embarrassing to think that this happens at all, let alone comprises a high percentage of data breach cases. The problem is two-fold: medical records should not be locally stored on a laptop, smartphone, tablet or thumbdrive in the first place; and, secondly, when they are, they should be encrypted to prevent an unauthorized person from accessing them. Healthcare organizations often fail on both accounts.
- Failure to Delete - Believe it or not, old equipment once used by hospitals, doctors' offices and other healthcare facilities is often discarded without fully deleting the sensitive medical records they contain. When devices like PCs, laptops, thumbdrives, copiers, even ultrasound machines, are thrown out or donated, they pose a huge risk for identity theft. The only way to protect patient information is to physically remove and destroy the memory device (e.g., hard drive) - but that advice is not always followed.
- Third-Party Snafus - Many health care organizations outsource medical record storage and management to third-party vendors. The problem is, these vendors may not always be qualified to secure this type of information. In one recent example, Kaiser Permanente is now being investigated for allegedly letting a 'mom and pop' document storage company to keep 300,000 personal medical records in a shared warehouse and on their home PCs!
- Open WiFi - Health care providers often use WiFi networks to enable their medical staff to work efficiently and accurately as they go from patient to patient. But these WiFi networks are not always as secure as they should be - making it possible for intruders within a certain radius of the facility to break into sensitive files.
- Social Engineering - The oldest trick in the criminal handbook is the con, often referred to these days as 'social engineering.' As with any organization, criminals can trick healthcare employees into giving them access to sensitive information - often by pretending to be from the IT department, an authorized third-party vendor, supervisor or fellow employee.
- Insider Access - Rogue employees are another legitimate threat to a person's medical records. In most cases, healthcare employees that are responsible for a data breach are doing so to 'get even' with their employer or co-workers. Employee mistakes, like allowing an unauthorized outsider to view a medical record or leaving a file open on their computer, also jeopardize patient privacy.
- The Cloud - One of the future threats to patient records is likely to be found in the cloud. According to the Ponemon study, 62 percent of healthcare organizations are moving their patient health records to the cloud - but only 30 percent are confident they can adequately protect that information from thieves.
The DEA wants to access your medical records without consent or a warrant:
The Drug Enforcement Administration is trying to access private prescription records of patients in Oregon without a warrant, despite a state law forbidding it from doing so. The ACLU and its Oregon affiliate are challenging this practice in a new case that raises the question of whether the Fourth Amendment allows federal law enforcement agents to obtain confidential prescription records without a judge’s prior approval. It should not.
In 2009, the Oregon legislature created the Oregon Prescription Drug Monitoring Program (PDMP), which tracks prescriptions for certain drugs dispensed by Oregon pharmacies, including all of the medications listed above. The program was intended to help physicians prevent drug overdoses by their patients and more easily recognize signs of drug abuse. Because the medical information revealed by these prescription records is highly sensitive, the legislature created robust privacy and security protections for the PDMP, including a requirement that law enforcement must obtain a warrant before requesting records for use in an investigation. But despite those protections, the DEA has been requesting prescription records from the PDMP using administrative subpoenas which, unlike warrants, do not involve demonstrating probable cause to a neutral judge.
The State of Oregon sued the DEA in federal court to defend its right to require law enforcement, including federal agencies, to obtain the warrants required by state law. Today, the ACLU filed a motion to intervene in the case on behalf of several patients and a doctor whose prescription records are contained in the PDMP. Our clients are concerned that the privacy of their medical information will be violated if the DEA is allowed to search through prescription records without a warrant. If the DEA can demonstrate to a judge that it has probable cause to believe that a crime has been committed and that prescription records will provide evidence of that crime, then it can legitimately obtain records from the PDMP. Because prescription records and the medical information they reveal are such a sensitive matter, protecting their privacy is vital, and we argue that obtaining private and confidential prescription records without a warrant constitutes an unreasonable search in violation of the Fourth Amendment.Florida isn't waiting around for the DEA. A Central Florida taskforce has already taken patient records without a warrant, and cops in Southwest Florida are trying to trick patients into signing away their privacy.