A healthcare data breach, such as the recent massive one at health insurer Anthem, means more than lost data for a patient: it can mean lost money and, in the most extreme circumstances, a completely altered medical history.
The financial ramifications can come when credit card and identity information is stolen. For example, the Community Health Systems breach in summer 2014 has caused several lawsuits alleging specific harms to patients. William Lutz, a CHS patient in Lafayette Hill, Penn., contends the data loss resulted in hackers making more than $40,000 in illegal charges and setting up new financial accounts in his name.
Hixie Lewis, a CHS patient in Alabama, said a third party opened—and maxed out—two credit cards to Victoria's Secret, which is still pursuing her for the debts run up on the cards. Class-action lawsuits against Anthem have popped up and allege potential financial harm.
However, in both cases, the companies have maintained patients' medical data was not compromised. Theft of medical records poses not only financial but also potentially life-threatening harms to patients. Yet, a lack of public indignation about such breaches indicates the industry has not hit a tipping point that will force it to change its procedures by spending more on data security.
A February 2015 report from the Ponemon Institute surveying medical identity theft victims—whose ranks are often swelled by data breaches—found that of the surveyed patients, about two-thirds said they had paid money to resolve the theft. Those patients paid an average of $13,500.
Stealing medical identities is done to commit healthcare fraud. As a result, “you have to reimburse either the healthcare provider or your health plan for a medical good or service that the identity thief enacted,” said Ann Patterson, senior vice president of the Medical Identity Fraud Alliance.
Unlike in the credit card industry, where cardholder liability is limited for fraudulent charges, patients often have to pay either the insurer or the provider in question, she said.
Cletis Earle, chief information officer of St. Luke's Cornwall (N.Y.) Hospital, said the perpetrators of such fraud are often individuals who don't want to pay for care, or don't have a legitimate identity for doing so—for example, opioid addicts who need to doctor-shop.
Once care is done, several experts agree, the results can follow a patient for years regardless of whether the payment issue is resolved. That's because a record of care bearing the patient's identity has been created.
Pam Dixon, executive director for the World Privacy Forum, noted that a patient could wrongly have an allergy crossed off the list, for example. If a fraudster is treated using that antibiotic, the record might cause a new notation—that the patient in question isn't allergic.
That permanence is due to an unfortunate feature with the electronic health-record system, Patterson said. “With your financial credit report, when you see something that's incorrect, there's a dispute process,” she said. “You can have things removed that are inaccurate from your report.”
With EHRs, data can't get removed. Annotated, perhaps, stating that the data is incorrect. But not necessarily removed. “You have this lifelong corruption of your record,” she said.
Earle said that particular technological quirk might get resolved in the future. If data-sharing between EHRs becomes more advanced, and data is more easily reconciled, such problems could become resolved—and patients could find it easier to check for potential identity theft.
But it's difficult right now to check for the medical implications of identity theft. The Ponemon Institute report found that identity theft victims don't frequently check their own records. Only 17% of those patients check their records for accuracy most of the time.
Getting patients to check their records is a government requirement under the EHR subsidy program. And it's one providers struggle with achieving. November 2014 government data found that 49% of attesting hospitals had only barely passed the second stage requirements for the program—they needed 5% of patients to view their records, and got between 5-10%.
If patients don't check the data themselves, can they rely on automated tools to do it for them? Most affected institutions seem to provide credit monitoring services to patients whose data is breached.
But that's not universal. For example, after a 2011 data breach, Sutter Health in Sacramento, Calif., did not offer credit monitoring services. A spokeswoman said that the decision was based on the types of data lost in the breach, which was not financial.
Some question whether credit monitoring is enough. “It does need more scrutiny, and it does need more attention,” said Steven Russo, executive vice president of cybersecurity firm CertainSafe.
The credit monitoring services do not scrutinize medical claims. Patterson isn't aware of many firms that do.
“Unlike financial reports that are housed at the three credit bureaus … there is no central repository where your medical record is housed,” she explained. As such, it's a challenge for an interested firm to aggregate the data.
Despite the medical and financial issues associated with the rising number of data breaches, backlash against affected firms appears to be muted. Josh Raskin, an analyst at Barclays Research, said he doesn't think investors care a great deal about the Anthem data breach “because the financial ramifications don't appear to be great.”
Raskin's analysis appears to be shared by others. Louise Norris, a health insurance broker in Wellington, Colo., said that “the Anthem hack has been pretty much a non-issue for our clients.”
At close of trading Tuesday, Anthem was trading at $145.99 per share, not far from its 52-week high of $148. Wall Street appears to be equally sanguine about Community Health Systems, which traded at $49.59 as of the close, compared to $47.24 in early August last year.
Community Health Systems has held two quarterly earnings calls since the August 2014 disclosure of the breach and neither executives nor analysts have discussed it in those calls.
In its annual Securities and Exchange Commission filing, it focused on the potential negative effects of litigation related to the breach, rather than a deterioration in consumer confidence. A CHS spokeswoman said the company would not comment beyond what is included in SEC filings.
Anthem's yearly filing with the SEC is similar. Anthem also declined to comment for this story.
However, a Ponemon Institute report said 48% of identity theft victims would consider leaving a provider in question. Dixon of the World Privacy Forum added that her organization has "never gotten such a large response as we have to the Anthem breach. They [consumers] are taking it much more seriously, and they are very angry.”
Breach issues will likely only continue, Patterson said. Hackers are becoming more sophisticated at stealing and criminally exploiting data. The number of patient records breached increased 25.5% in 2014, according to Redspin, an information technology security firm.
Follow Darius Tahir on Twitter: @dariustahir
Follow Bob Herman on Twitter: @MHbherman