In the past year, news of health records breaches has increased in number and the size of the breaches has gotten progressively bigger. These stolen records negatively impact the privacy, safety and security of millions of Americans, yet I do not hear people outside of the healthcare and cybersecurity industries expressing concern over this disturbing trend. Whenever a breach of credit card information is reported, everyone starts to worry that someone is going to use their credit card, yet health records breaches are met by many of the same people with a shrug.
A major part of the problem is that most people don’t understand how a health record breach could potentially impact them. I’m presenting the following information with the intent making people aware of just what, exactly, is at stake.
Starting off with the Statistics: Healthcare Data Breaches Infographic
(We have compiled the following statistics on healthcare breaches to create the context for the situations we will present, afterwards, for you to consider.)
Pretty scary statistics, right? What if I told you that someone stealing your health records should concern you a whole lot more than someone stealing your credit card information? Why should individuals and companies be equally concerned?
For Individuals to Consider:
- When someone steals your credit card, as long as you report suspicious activity to your credit card provider as soon as you discover it, you have 0% liability. The credit card company will investigate the fraudulent charges and remove them from your balance. They will also immediately cancel the card and issue you a new one. Yes, it’s inconvenient, but you’re protected.
- When someone steals your health records, you can’t cancel your health history and get issued a new one. Your health problems are yours, forever. Not only is this type of violation deeply personal, but if they have access to steal your records, they could also change them and replace them, potentially putting your health and welfare at risk. They could also blackmail you. If you have certain details of your health history that are deeply personal and you don’t want made public, bad actors could hold you over the fire. Consider:
- A terrorist wants to commit acts against the citizens of your country. They hack into a major health network and change the prescribed doses of patients’ medications, causing widespread health complications and possibly even killing people.
- A bad actor finds out that you were treated for cocaine addiction when you were in college. They email you and tell you that unless you pay them $1000, they will tell your wife and your children.
- A bad actor finds out that you have been diagnosed with a terminal illness. They email you and tell you that unless you pay them $5000, they will tell your employer (who you haven’t told yet).
- Not only do health records contain personal health information (PHI), they also contain personally identifiable information (PII). Hackers not only get your health history, they get your address, your full name, your social, your insurance information, and depending on the completeness of the record, data about your bill payment history. With access to one health record, they could open new credit accounts. They could destroy your credit. Between this and publicly disclosing your health history, they could keep you from qualifying for credit, mortgages, secured and unsecured personal loans, small business loans, and more.
For Companies to Consider:
- If you’re a healthcare provider and the fault of the data breach is determined to be yours, your company could be liable for millions and millions of dollars in damages. Not only does this potentially put the provider’s financial stability at risk, a portion of this cost will most likely be passed on to those needing care. You have to recoup those losses somehow, right?
- You’re the CEO of a publicly traded company. You’re also the visionary that adds substantial value to your company’s stock price and outlook. Your health records are hacked and a bad actor emails you. They threaten to publicly disclose that you have cancer and that it’s terminal unless your company wires 2 million dollars into a numbered account. What would you do?
- You’re the brilliant mind behind a new technology that is in development and you’re going before potential investors to ask for funding. A bad actor discovers that you are being treated for schizophrenia. They email you and tell you that unless you pay them fifty thousand dollars, they will publicly disclose your illness to your potential investors. Your symptoms are managed effectively with medication and medical observation. If you’re the only one who can develop the new technology, do you think that investors will see the risk being worth the investment?
The Sky Is Not Falling Yet, But…
I know these situations are scary. I’m using them as examples to demonstrate just how serious health records breaches can be. Individuals and companies should be asking what their providers are doing to safeguard their information. Large companies should be working with the healthcare industry to ensure they are taking steps to safeguard information that could destabilize their companies.
Right now, our country is behind the curve. We have a lot of catching up to do. We are acting reactively, post breach, to limit the damage done. We all need to be thinking about proactive steps we can take, as individuals and as companies, to better protect against these kinds of breaches. Be an agent for change, be a Netizen!