How Safe are your Medical Records?

We would like to believe that our confidential medical records are kept under digital lock and key; however this is not always the case.

The safety of patient data depends on the diligence of health care organizations and the cyber-security measures they implemented. Simple oversights and errors can result in private and confidential patient medical data being made available in the public domain, as recently happened for 7,000 patients in a diagnostic clinical laboratory in Huntsville, Al.

The company, Diatherix Laboratories, was forced to notify its 7,016 patients that a HIPAA breach led to their data being made available in the public domain for a period of three years, and during that time outsiders had accessed that information. The problem occurred because the patient data was stored on a third party server and which had not been made secure. The breach occurred in September of 2011, yet the issue was not noticed until July 2014.

This is far from an isolated incident. A Temple University doctor’s office recently reported a laptop theft from the premises with data of 3,780 patients stored on its hard drive. This summer a medical center in Utah was targeted by thieves who managed to steal the medical records of 31,677 patients. Memory sticks containing confidential data are lost or stolen, as was recently reported by Duke University Health System although the volume of lost data was unknown.

In 2010, Columbia University Medical Center and New York-Presbyterian Hospital were victims of cyber security attacks involving the theft of close to 6,800 patient records.

The problem is growing as an increasing number of cybercriminals target health care organizations to reap the financial rewards from selling patient data. According to the Department of Health and Human Services, large scale data breaches affecting more than 500 individuals have now affected some 39 million individuals.

The breaches in security and theft of data are not a problem solely affecting the health care industry; any personal identifiable information can be used to obtain false identities. Target and Home Depot have recently suffered cyber attacks and customer data theft.

Electronic records are kept when prescriptions are made, goods purchased and services provided. Insurance claims, medical visits, optician appointments and dental visits are all documented and records are stored online. Federal HIPAA law ensures the government can place strict controls on how data is stored and by complying with these standards; medical institutions and companies can ensure that data is kept secure. Unfortunately, even these measures can be insufficient with the volume of targeted attacks now taking place.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.