In the top three of the list of highly sensitive personal data to be concerned about is our medical information. It’s so sensitive because it is so personal. It used to be that our medical information was located in paper charts at our doctor’s office, the hospital, the pharmacy and our health insurer. Now it’s digital and is accessible by any of our medical providers (which is good for our treatment), pharmacies, and wearable technology and ingestible device manufacturers. It’s not just our medical information that is protected by HIPAA, but also our medical information that is not protected by HIPAA, including the genetic information we voluntarily provide to companies like 23andMe, fitbit, and sleep monitors.
Our medical information is being sent by our medical providers to their business associates to have analytics performed, including utilization, predictive analysis of our health condition, aggregating the data to determine better ways to treat us, as well as with medical device companies in order to monitor our health. Although all of this data sharing is designed to make medical treatment more efficient, less costly and more comprehensive, it also means that our medical information is being transmitted digitally more than ever before. Add to that the fact that our non-HIPAA covered medical information can be aggregated with it, and, well, you get the picture. You can tell a whole lot about someone, and find out about their most personal information, if that information is aggregated and then compromised.
Unfortunately, April 2019 was the worst month ever since the Office for Civil Rights (OCR) has required covered entities and business associates to report data breaches (2010) when it comes to reportable data breaches. Last month, 44 data breaches were reported to OCR by covered entities and business associates.
Those data breaches included the compromised medical records of 686,953 people. These were not the largest breaches in history, but they are the most reported in one month since 2010. About two-thirds of the incidents were caused by hacking or IT incidents. This simply didn’t happen back in the day when all of our information was on paper, but medical providers have not implemented robust security measures to keep up with the sophisticated hacking schemes that we are seeing in the industry.
That is disappointing, but not surprising. We have been reporting for years about how the healthcare industry is a target, particularly of ransomware. The two largest breaches reported last month involved a medical billing company and a radiology provider.
So how do we protect our medical information? We probably can’t have any impact on the security practices our medical providers, health insurers, pharmacies and health insurer implement. However, we can put pressure on them by asking questions about data security when we go to a provider, to show that it is a priority and concern. (Although I will admit that when I ask my provider and dentist about data security, they look at me like I am crazy). But think about it—if we all start to ask our providers every time we go to the doctor, hospital or pharmacy about data security, maybe they’ll start talking about it, too, and look into their data security practices. I know it’s a long shot, but if it becomes the “buzz” of the rest of 2019, maybe we can have an impact so April 2019 goes down as the worst month in history. Of course, the OCR is the enforcement agency of HIPAA violations (including data breaches) and investigates these incidents, but we can help put pressure on providers, too, so data security becomes a top priority.
Other things to consider:
- Shred all paper medical records
- Be mindful that if any medical records are on a CD or thumbdrive that it is encrypted and destroyed when no longer needed
- Avoid emailing medical records in an insecure way (use encryption)
- Research the privacy and security posture of medical device companies and whether they have had any recalls or reported any data breaches
- Ask your provider about his/her data security processes and tell them it is a priority for you
- If you are storing your medical information through apps or your personal email account, encrypt the data at rest
- If you are given an option when sharing your information to refrain from disclosing it to others, take that option and limit the sharing
- Consider requesting restrictions on the access and disclosure of your medical information when you present it to the provider
- Consider requesting an accounting of disclosures from your medical provider so you can see who the provider has shared your information with (understand that under HIPAA the provider does not have to provide an accounting of disclosures if the disclosure was for treatment, payment or operations)
- Be careful about sharing your medical information on social media sites.
The health care industry is getting attacked because medical records are worth more on the dark web than any other record. As patients, we can do our part to protect our medical information by using good data security practices, and also by pressuring our providers to do more when it comes to data security. Let’s ask questions about data security every time we go to the doctor, hospital or pharmacy to let our medical providers know that our medical information is important to us and that we expect them to protect it. If all patients do this, perhaps the message will get across to the healthcare industry to ramp up data security measures, and April will be behind us and remain as the worst medical information data breach month in history.