The number of medical records being stolen and hacked continues to rise, along with the illegal activity resulting from use of the data
If the numbers look—well, in a word—awful, it's because they are.
Three years after the federal government began trying to shame the healthcare industry into tightening up what can only charitably be described as sloppy data security practices, breaches of patient medical records are still rampant.
The Office for Civil Rights at HHS began receiving and publicly reporting breach incidents in September 2009. Since then, there have been 499 major breaches of medical records affecting 500 or more individuals.
According to the most recent update of the list—known commonly as the “wall of shame”—those 499 larger breaches have exposed the records of nearly 21.2 million people. Those figures include 80 breaches occurring and reported this year, affecting more than 1.8 million individual records. In addition, about 60,000 lesser breaches involving fewer than 500 individuals have been reported over the past three years, says Susan McAndrew, the Office for Civil Rights' senior policy specialist.
And lest anyone blame the breaches entirely on the advent of health information technology, the data tell a different story.
So far, 117 larger breaches—23% of those on the Office for Civil Rights list—have involved paper records and have affected the records of nearly 709,000 people.
For privacy guru Pam Dixon, the common breaches—“a stray laptop, something that was not encrypted”—while often embarrassing and sometimes quite costly to an organization, are not her biggest worry.
“A lot of those, especially last year, were what I'd call negligent breaches,” says Dixon, founder and executive director of the San Francisco-based World Privacy Forum.
They would include a laptop holding 1,076 patient records that was reported stolen last year from a physician traveling abroad. The report prompted a newly invigorated Office for Civil Rights to investigate the data security practices of the Massachusetts Eye and Ear Infirmary and its affiliated physician group and reach a $1.5 million settlement agreement with them for alleged violations of the security rule of the Health Insurance Portability and Accountability Act of 1996.
Of a much bigger concern to Dixon are breaches caused by hackers and inside jobs where the risk is greatest for identity thieves purloining from medical records such key data elements as names, addresses, dates of birth, Social Security and insurance ID numbers. Hacks represent just 6% of all breaches reported to the Office for Civil Rights by primary breach type and fewer than 8% when secondary causes are considered, but their consequences can be the most ominous.
In March, state health officials in Utah lived a recurring nightmare. Hackers believed to have been operating out of Eastern Europe penetrated a state-run computer system and exposed the records of thousands of Medicaid recipients. Initially, state officials reported that 24,000 records had been compromised, but the numbers of potential victims quickly leaped to 182,000, then 436,000, then 780,000.
“The Utah breach, I think, is one of the worst ones we've had in a long, long time,” Dixon says. “It was a very serious breach. It was high intention, and highly focused. That means the data was desirable and usable. I don't think we've heard the last of the Utah breach.”
According to Dixon, the Utah breach could metastasize in a year or so into multiple cases of medical identity theft, arguably the most noxious form of identity theft. “Medical identity theft is when a criminal uses your information for acquiring medical goods and services,” Dixon says. It has the capacity to make the individual and the healthcare organization victims for years to come, requiring both to clean up not only financial records, but clinical records as well.
Experienced and established networks of identity thieves can be patient, Dixon says. “Sometimes criminals like to age that data and it becomes more usable.” How so?
Typically, she says, “Credit monitoring lasts one year. And after the credit monitoring ends you wait for people to stop remembering they even had a breach.”
That's why “it's really disingenuous of healthcare providers to say, 'Oh, we've had a breach and we haven't had any indication the data has been used,' ” Dixon says, citing a common disclaimer. “That may be the case in terms of negligence, but when there are intentional breaches, that's just a Band-Aid over a very serious situation.”
During the past year, a group of Florida nursing home residents have been the high-profile victims of a swarm of criminals who used their identities to file false tax returns in their names. By August, six individuals had either been arrested or were still being sought in central Florida for identity theft, bringing to 25 the number of persons arrested or wanted for that crime—plus tax and/or financial fraud—since an investigation called “Stop the Drop” began there in September 2011, says Donna Wood, public information officer for the Polk County sheriff's office.
Convicted and awaiting sentencing for multiple fraud charges is a licensed practical nurse, Cathy McLain, 41, of Winter Haven, according to news releases by Wood's department. McLain worked at a Florida nursing home where she provided a co-conspirator sufficient personal information to steal the identities of 83 nursing home patients.
“There seems to be no end to these criminals who steal identities and file fraudulent tax returns,” Polk County Sheriff Grady Judd said in a news release following the latest arrests. According to Florida police, all the information identity thieves need to steal in order to enable their criminal activity is a victim's name, Social Security number and data of birth. Some identity thieves don't even bother to do that, preferring to buy the information from other thieves instead. Then they use computerized tax return software to file the fraudulent returns.
The government mails the corresponding tax returns to post office boxes, or, even more obligingly, moves money electronically into pre-paid debit cards that fraudsters have purchased for that purpose, Wood says.
“We're talking about hundreds and hundreds of thousands of dollars,” she says. “Your brain just can't get around how much money is just pouring out of the federal government. Certainly central Florida has been very vocal about it, but we are not out of the norm here. This is a national problem.”
Another notorious example of medical identity theft also came out of Florida in 2006 when a pair of criminals sold medical information gleaned from patients at an office of the Cleveland Clinic, using the information to commit millions of dollars in medical billing fraud. Two years later, 10 people were prosecuted in Miami for filing $8 million in fraudulent Medicare claims using that stolen patient data.
Dixon says she fears, “That's the kind of case that Utah was.”
And just as the consequences of breaches are delayed, so, too, can be the realization that a breach has even taken place, says Jeff Drummond, a partner in Jackson Walker, a Dallas law firm. Twenty-nine of the “wall of shame” breach cases, not quite 6%, have a date range over which the breach occurred.
“It's like a rock that got kicked over,” Drummond says. “It's something that they're always doing, nobody knows why.” And then someone calls the practice into question and says, “ 'Wait a minute. Why are we doing it that way?' Then you try to reconstruct how far back it goes.”
According to the Office for Civil Rights list, one incident at the Duke University Health System, Durham, N.C., began in April 2004 and didn't end until February 2012. That case involved attaching billing summaries with some patient-identifiable information to filings on behalf of the organization in patient bankruptcy proceedings.
Industrywide, Drummond says, individual attitudes toward privacy and security are not as bad as the number of breaches might indicate.
“I think, as a whole, the healthcare industry is pretty good about protecting privacy,” Drummond says. “It's a cultural thing, a systemic thing, that everyone knows there are things you shouldn't talk about, things to keep private. So, as an industry, it's never been a Wild West.”
But attention to security “comes in waves,” he says. “There are a lot of things going on, and then you get a multimillion-dollar fine and people say, 'Oh, my God,' and they pay attention to it again.”
The Office for Civil Rights, which has jurisdiction over HIPAA privacy and security rule enforcement, which initially eschewed fines and tried to jawbone violators into compliance, has picked up the tempo since passage of the American Recovery and Reinvestment Act in 2009.
In an effort to invigorate HIPAA enforcement activities, Congress used ARRA to give state attorneys general the power to prosecute HIPAA violators and required HHS to conduct compliance audits among HIPAA “covered entities.”
Last year, in a pair of strongly worded reports, HHS' inspector general's office criticized the Office for Civil Rights for not aggressively enforcing the security rule and the Office of the National Coordinator for Health Information Technology at HHS for failing to promote data security. To test the waters, the inspector general's office conducted its own security audits of seven hospitals, finding 124 “high impact” security vulnerabilities.
Since then, beginning last November, the Office for Civil Rights has embarked on a pilot program of audits of as many as 115 healthcare organizations expected to run through December. Aside from publishing an audit protocol and hosting a progress report session this June, the Office for Civil Rights has kept mum about the targets and results of the audit program.
So far, Drummond says, “There haven't been any leaks of names of organizations that were subject to it.” A final report is expected, perhaps as early as the end of the year, he says.
“Supposedly, the pilots are going to help them determine what they need to do,” going forward, Drummond says. If the audits reveal “special attention is needed in certain areas, they'll confine their audits to those areas,” he says. “My understanding (is) the audit process will continue on an ongoing basis. I don't think they're going away.”
For the June update, the Office for Civil Rights released preliminary results of the first 20 audits, an admittedly “thin” sample, says the Office for Civil Rights' McAndrew.
“I think what we were finding was that most of the problems were with the smaller entities,” McAndrew says. “Most of them on the privacy side, the difficulties were scattered across the requirements.” With the security rule audits, undocumented risk assessments and the failure to address some of the particular HIPAA security requirements—for example, using technologies such as encryption to protect data—were common, she says
“The pilot is still ongoing,” McAndrew says, but ONC is in the wrap-up stages. “I do believe we have probably completed all of the field work” on about 115 audits, meaning all of the site visits to audited organizations have been made. “We're at the phase now of the analysis work with the entity to complete the final reports.”
Meanwhile, an omnibus privacy rule with modifications to HIPAA regs on privacy, security, enforcement and breach notification remains with the White House's Office of Management and Budget, where it has lingered since March.
Drummond says the original HIPAA privacy rule was released just as the Clinton administration was leaving office in December 2000 and the current privacy and security rule rework could be tied up for political reasons as well.
The new rules—which are to flesh out the many more stringent privacy provisions in the ARRA—will certainly displease some, and possibly everyone somewhat. HHS, for example, withdrew its final rule for breach notification in August 2010 after drawing fire from members of Congress, who felt their legislative prerogatives were being usurped.
As much discomfort as the breach reporting law and increased enforcement has created for the industry, it's been a good thing in that it has forced many organizations to at least recognize a security problem exists, says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society, a trade association for healthcare IT professionals. It's her job to raise awareness of the security problem and educate members on possible ways to solve it.
“I have always said that the way to get through to executives is for them to understand that this is something that has to be managed as a business risk,” Gallagher says. “Quite frankly, when there wasn't a lot of enforcement, (but) we couldn't make that connection, now we can. And I hope that translates into more resources.”
TAKEAWAY: On the third anniversary of a federal healthcare breach notification law, there's plenty to report, including more than 21.2 million patient records exposed.