home

CO Medical Group's Patient Data Hacked

Just yesterday I was writing about the risk of online medical databases (like the Prescription Drug Monitoring Program) being hacked, as happened in Virginia in 2009.

Today, a Denver non-profit medical group announced its database had been hacked and patient data compromised.

The group believes hackers may have accessed patient names, phone numbers, and medical conditions. It’s not believed that hackers were able to access billing information like credit cards.

Computer safety experts are warning other consumers to beware of hackers targeting medical data as it’s proving to be a valuable gateway for other consumer data. “It's incredibly valuable especially when it's medical information because it's tied to virtually everything," said John Sileo of ThinkLikeaspy.com, a identity theft protection agency.

How often do breaches of medical data occur? More than you'd think. [More...]

Catch these statistics:

96% of health care organizations have experienced at least one data breach in the past two years....Nearly half of health organizations do nothing to protect data on mobile devices ....only 23% of health care organizations use mobile device encryption.

What causes health data breaches?

CauseIn 2010In 2011
Lost or stolen computing device41%49%
Third-party problem34%46%
Unintentional employee action45%41%
Technical glitch31%33%
Criminal attack21%30%
Malicious insider15%14%
Intentional nonmalicious employee action10%9%

Source: "Second Annual Benchmark Study on Patient Privacy & Data Security," Ponemon Institute, December

More than 10 million Americans had their medical data breached in 2011. Another example:

The insurer Health Net suffered one of the worst, when nine data servers went missing from a Northern California data center in January. The servers contained records of nearly two million current and former policy holders.

The Health Net announcement of the breach is here.

The UCLA Health Systems database was breached and a class action filed. A breach involving Sutter Physicians Services (SPS) and Sutter Medical Foundation is ranked as one of the top ten data breaches of 2011. 4.2 million patients had their data exposed, two lawsuits are pending.

Two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report.

That report says breaches of health records are not just up, but "soaring."

The health information of more than 4 million members of the military health plan (TRICARE), (which was maintained by Department of Defense contractor Science Applications International Corporation (SAIC)) was breached in 2011. A $4.9 billion lawsuit is pending. How did it happen? Backup tapes were stolen from a data contractor's car.

I haven't seen any reported data breaches with Good Health Systems, which stores and manages the prescription monitoring data for Colorado and several other states. Its practices, outlined in this Jan. 2011 proposal to Vermont to procure Medicaid rebates, seem designed to maintain security. But it can't guarantee security against hackers and doctor or pharmacy negligence or incompetence.

Here's the (very long) list of health information breaches reported to HHS, involving 500 or more individuals. The New York Times reported in September:

The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.

Here's a round-up by state as to what law enforcement must provide -- e.g. probable cause, a court order, an active investigation, or merely a subpoena, to get your information.

Instead of cutting back on these programs, they are being expanded. Several states are implementing real-time reporting of prescriptions.

So long as doctors, pharmacists and their agents can access the databases with only a user name and password, they are as vulnerable to being breached as any other database. That only 1 state has reported a breach so far, doesn't mean more inci