CO Medical Group's Patient Data Hacked

Just yesterday I was writing about the risk of online medical databases (like the Prescription Drug Monitoring Program) being hacked, as happened in Virginia in 2009.

Today, a Denver non-profit medical group announced its database had been hacked and patient data compromised.

The group believes hackers may have accessed patient names, phone numbers, and medical conditions. It’s not believed that hackers were able to access billing information like credit cards.

Computer safety experts are warning other consumers to beware of hackers targeting medical data as it’s proving to be a valuable gateway for other consumer data. “It's incredibly valuable especially when it's medical information because it's tied to virtually everything," said John Sileo of ThinkLikeaspy.com, a identity theft protection agency.

How often do breaches of medical data occur? More than you'd think. [More...]

Catch these statistics:

96% of health care organizations have experienced at least one data breach in the past two years....Nearly half of health organizations do nothing to protect data on mobile devices ....only 23% of health care organizations use mobile device encryption.

What causes health data breaches?

CauseIn 2010In 2011
Lost or stolen computing device41%49%
Third-party problem34%46%
Unintentional employee action45%41%
Technical glitch31%33%
Criminal attack21%30%
Malicious insider15%14%
Intentional nonmalicious employee action10%9%

Source: "Second Annual Benchmark Study on Patient Privacy & Data Security," Ponemon Institute, December

More than 10 million Americans had their medical data breached in 2011. Another example:

The insurer Health Net suffered one of the worst, when nine data servers went missing from a Northern California data center in January. The servers contained records of nearly two million current and former policy holders.

The Health Net announcement of the breach is here.

The UCLA Health Systems database was breached and a class action filed. A breach involving Sutter Physicians Services (SPS) and Sutter Medical Foundation is ranked as one of the top ten data breaches of 2011. 4.2 million patients had their data exposed, two lawsuits are pending.

Two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report.

That report says breaches of health records are not just up, but "soaring."

The health information of more than 4 million members of the military health plan (TRICARE), (which was maintained by Department of Defense contractor Science Applications International Corporation (SAIC)) was breached in 2011. A $4.9 billion lawsuit is pending. How did it happen? Backup tapes were stolen from a data contractor's car.

I haven't seen any reported data breaches with Good Health Systems, which stores and manages the prescription monitoring data for Colorado and several other states. Its practices, outlined in this Jan. 2011 proposal to Vermont to procure Medicaid rebates, seem designed to maintain security. But it can't guarantee security against hackers and doctor or pharmacy negligence or incompetence.

Here's the (very long) list of health information breaches reported to HHS, involving 500 or more individuals. The New York Times reported in September:

The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.

Here's a round-up by state as to what law enforcement must provide -- e.g. probable cause, a court order, an active investigation, or merely a subpoena, to get your information.

Instead of cutting back on these programs, they are being expanded. Several states are implementing real-time reporting of prescriptions.

So long as doctors, pharmacists and their agents can access the databases with only a user name and password, they are as vulnerable to being breached as any other database. That only 1 state has reported a breach so far, doesn't mean more incidents won't happen.

Massive electronic databases that contain our personal medical records carry big security risks. It's one thing for electronic medical records to be used as initially intended, for providing better patient care and cost effectiveness. When it comes to prescription monitoring, which was initially billed as a means for doctors to provide better patient care by identifying which of their patients may have problems so they could educate them, but has morphed into a means for law enforcement to catch some pill abusers, the risk is hardly justified. In fact, it's unacceptable.

< Mitt Romney: The Undisciplined Candidate | Trump Promised To Run For President If "Right Candidate" Not Nominated By GOP >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft

  • Display: Sort:
    the probem is lack of security (none / 0) (#1)
    by diogenes on Thu Feb 02, 2012 at 07:10:28 AM EST
    You can hack anyone to get the data, but medical data is not as well guarded as credit card company data because by their nature medical practices do not believe that the world is filled with criminals who are out to get them.

    anything connected to the internet (none / 0) (#2)
    by cpinva on Thu Feb 02, 2012 at 07:41:42 AM EST
    can be hacked, by defintion. it just depends on how badly someone wants to.

    Just so (none / 0) (#6)
    by Lora on Thu Feb 02, 2012 at 04:38:35 PM EST
    Anything.  Not only hacked, but changed.

    Not just data security (none / 0) (#3)
    by vicndabx on Thu Feb 02, 2012 at 08:01:54 AM EST
    IMO, it's also the glorification of hackers as a group of individuals doing what they do for altruistic reasons.  E.g. anonymous and it's support from Wikileaks.

    49% lost/stolen computing devices (none / 0) (#4)
    by jimakaPPJ on Thu Feb 02, 2012 at 08:47:35 AM EST
    I assume that these are laptops used by employees to access the database.

    Again assuming that a halfway decent security protocol is employed... 7 letter/number password with an automatic lock out after 3 failures with a system administrator re-admittance required... then I assume that the password has been saved on a file in the computer that the "hacker" can easily find.

    Rap some knuckles really hard if they have their password easily found and institute the above and you have 45-50% of the problem solved.

    gee jim, i'm just amazed no one ever (none / 0) (#8)
    by cpinva on Thu Feb 02, 2012 at 11:44:33 PM EST
    thought of this before! got to get up pretty darn early in the morning, to get one over on you guy!

    Rap some knuckles really hard if they have their password easily found and institute the above and you have 45-50% of the problem solved.

    really? i mean, really, that's the absolute best solution you can come up with? you gave this what, two seconds of deep thinking?

    the basic problem with this approach (and it's standard policy in every functioning entity) is that you can only "rap knuckles" but so hard, unless you intend to turn over your entire workforce every few months. not really economically feasible. as well, most companies have so many different applications, each requiring their very own unique set of user ID/pw, that no normal person can possible be expected to remember them all.

    there are possible solutions in the works, everything from using fingerprint ID, to DNA, just to access the machine. the problem is that none of these methods is ever going to be 100% hacker proof, ever. the harder you make it to access data, the slower your own employee's become, reducing productivity.

    there is no easy solution.


    The Real Problem (none / 0) (#5)
    by ScottW714 on Thu Feb 02, 2012 at 01:02:53 PM EST
    ...is we have no control over this data, including who has access to it.  And this data to me is far more valuable then what I leave at the GAP to buy a shirt.

    With them I am willing to give them a very small and safe amount of data for my convince.  And if there's is a breach, I can cancel my CC and forgo their services in the future, if I choose.

    Not true of my medical records, they can't be cancelled/deleted once they are breached.  That data could, in theory, go viral and never be erased from the internet.

    I understand there is a benefit, but I should be the one making that risk/reward assessment.  My old doctor was a paper man, and I loved it, he was old school, and understood the importance of privacy.  My last doctor gave me a card so I could check my test results online.  I haven't been back*.  

    Granted, as I get older I may revisit the benefits of having my data available on a network, but I should be the one deciding if it benefits me, not Corporate Health Care and Big Insurance deciding if it benefits them.  I will pay a charge to keep my stuff in a paper file on a dusty shelf.

    Think of leverage medical records could garner someone.  How much would some people pay for politicians medical history, their boss'. or a judges', it frightening.

    It's not right that we have absolutely no control in how our information is handled and apparently no recourse when it compromised.

    *Side Note: The computer in the examination room hadn't been logged out, I just glanced at the name, and it was a older female co-worker I talk to occasionally. I know, in Houston, what are the odds.  And the worse thing is I wanted to tell her of their carelessness, but I didn't want her thinking I was out-of-line.  I was just curious as what was on the computer, never occurred to me it would another patients information.

    Of course... (none / 0) (#7)
    by diogenes on Thu Feb 02, 2012 at 09:17:29 PM EST
    If you have a stroke one thousand miles from home at midnight, it would sure would help the doctors in the emergency room to know your history, especially if you are too incoherent to give it.