Healthcare Data Breaches: What Are the Risks?
When an individual's health history or current treatments are exposed through a healthcare data breach, it's one of the most violating types of data breaches one can encounter.
Healthcare is private and highly sensitive. When an individual’s health history or current treatments are exposed through a healthcare data breach, it’s one of the most violating types of data breaches one can encounter. Healthcare breaches give hackers access to information that can help them steal identities and continue on data theft quests.
Unfortunately, healthcare data breaches are all too common. One in four Americans has been a victim of a healthcare breach at some point. Despite federal protection from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), there are still healthcare breaches all the time.
In 2014, one of the largest health data systems breach ever recorded occurred to Community Health Systems, when 4.5 million patient records were exposed, resulting in a class action lawsuit with Pittman, Dutton & Hellums Law Firm. In 2017, nearly 700,000 records were exposed in a breach against the Commonwealth Health Corporation. While cybersecurity measures are becoming more sophisticated, so are hacker methods. Here’s what to be aware of.
How Healthcare Breaches Happen
Just like any cybersecurity attacks, there are many common factors that contribute to the risk of healthcare breaches. These include:
- Outdated systems: Healthcare organizations are ones with some of the most complex data on-hand, and often this data is stored in extremely outdated systems. Because the systems can be expensive to update or migrate over to systems with better protection, some are never changed or not changed until a breach has occurred. Using old and ineffective security measures makes them vulnerable to attacks.
- Poor testing: A lack of penetration and vulnerability tests makes an un-proactive security approach one that is not as effective as one featuring regular testing.
- Assuming there is no risk: Thinking that HIPPA standards offer enough protection does not safeguard healthcare entities or their patients. For example, encryption is not mandatory under HIPPA, but it can be a valuable factor in protecting customer data.
A lack of automation also negatively affects healthcare security. In this vulnerable industry, unfortunately older systems and manual processes contribute to the high risk of healthcare breaches.
How Healthcare Systems Are Protecting Patients
Healthcare data breaches are expensive, not just for patients who have to work to recover their data, but for the organizations that are victims of them. HealthITSecurity reports the average cost of a healthcare records is twice the global average cost, at $380 per stolen healthcare record in 2017, compared to the global average of $141. Measures healthcare providers are implementing to protect patients include:
- Incident response plans, so organizations can quickly identify, shut down and mitigate the damage of breaches
- Use of cloud-based systems, which are relatively new in healthcare but provide critical backup of healthcare records in the case of a breach, as well as the use of backup generators for healthcare systems compromise and power failure
- Data encryption, which follows National Institute of Standards and Technology standards for encryption processes for data at rest and data in motion
- Employee training, for proper use of, access of and protection of patient data
- Data loss protection, including permission-based file sharing and testing of security architecture
Additionally, healthcare employee equipment that has patient data on it or that is used to access patient data, such as laptops, must be protected. Employees who work remotely must use security protocol when accessing information.
Can You Sue If You’re a Victim of a Healthcare Breach?
Healthcare providers bear much of the responsibility when a breach happens. Prevention through proper security measures is paramount, because victims of healthcare breaches are in fact able to sue the healthcare provider after a breach. In August 2017, the U.S. Court of Appeals in Washington, D.C., ruled that health insurance company customers can sue a provider after a data breach. The ruling brings about the anticipation of increased future class action lawsuits due to data breaches in healthcare.
If you are the victim of a data breach, you should receive a letter detailing the breach and what information of yours was exposed. It’s vital to change passwords and alert credit-reporting bureaus that your information has been compromised. You also might consider signing up for identity theft protection. Sometimes, the healthcare company will offer those whose information was breached free protection, which you can take advantage of.
If you are concerned that your stolen information has now led to your identity being stolen, you should file an identity theft report with the Federal Trade Commission. Here, you can also contact the Federal Trade Commission to report privacy concerns.
You may also want to contact a lawyer, who may be able to file a lawsuit on your behalf or help you become part of a class action lawsuit concerning the breach. As a patient in a healthcare system, your information and privacy should never be compromised. When it is, becoming a party in a lawsuit can help to ensure it doesn’t happen again in the future and help you secure the compensation you deserve.