Last May, in the first of a series of SCOUT-sponsored healthcare surveys conducted with The Harris Poll (SCOUT Rare Insights), we asked more than 2,000 Americans about the security of their personal medical information, which includes information like disease diagnoses, test results, and overall health history. A key finding was that, while 69% of U.S. adults said they are extremely or very concerned about the possible unauthorized sharing of their personal financial information, less than half (49%) share that level of concern about their personal health data.
We should all worry a lot more. In a perfect storm of increasing cyber crime, a fragmented healthcare system that rushed to digitize patient information without being adequately prepared to protect it, and the constant accessing and expansion of patient data over an untold number of digital systems and devices, personal medical information is supremely vulnerable to exposure.
Data Breaches Increasing
According to the Health and Human Services Office of Civil Rights, 253 healthcare breaches occurred in 2015, the top 10 accounting for a staggering 111 million records lost, stolen, or inappropriately disclosed. It was a watershed year, prompting the government to begin issuing stiff fines for infractions and the industry to start working harder to protect patient data.
But according to a report in last January’s HIPAA Journal, 2017 breaches continued a pattern of year-over-year increase, with fewer massive breaches but a greater volume of incidents overall. There were 342 security breaches initially reported, the top 20 exposing nearly 3.3 million patient records. Hackers, IT issues, and carelessness—theft of unencrypted laptops, improper disposal of records, response to phishing emails—were the main causes of the incidents.
Data breaches don’t necessarily result in the theft and exploitation of personal information. Many take the form of institutional-level extortion—criminals make patient data inaccessible, demanding a ransom to return access. But the risk of patient information being compromised is always present. In one of 2017’s most publicized breaches, at least 7,000 patients of Bronx-Lebanon Hospital Center in New York City had their names, addresses, medical, and mental health diagnoses, addiction histories, HIV status, and other highly sensitive personal information exposed online.
Medical Identity Theft a Lucrative Field
Why do thieves target medical data? A black market in personal health information is thriving, with criminals paying far more for a medical file than for your ferociously guarded Social Security and credit card numbers. A stolen medical identity can be used to illegally obtain medical services, including expensive diagnostic tests, surgeries, and prescription medications. It can also be used to commit insurance fraud, acquire Medicare or Medicaid benefits, and even file and collect refunds on phony tax returns.
Breached databases aren’t the only route to medical identity theft, of course. Personal robberies account for many cases, making it important for individuals to exercise the same caution with their health insurance cards as with their credit cards. This was well illustrated in an August 2016 article in Consumer Reports that detailed the harrowing accounts of people who had been victims of medical identity theft. In one, a woman was threatened with having her children removed from her home after another woman used the victim’s stolen medical identity for maternity services and gave birth to a baby with drugs in its system. The victim spent years getting her name off the infant’s birth certificate and correcting her records—often, a thief’s data becomes entwined with the real patient’s data.
Victims Largely Unprotected
It’s ironic that Americans are more concerned about the security of their financial information than their health data, given that we have ways of mitigating the severity of financial breaches. Most banks will call immediately if unusual account activity is detected, but it can take several months for irregularities in an individual medical record to surface. Also, the Fair Credit Billing Act sets limits on customer liability if money is illegally withdrawn with a stolen ATM or debit card, but there is no such protection for patients whose medical records are used illegally. There’s even the option of doing a total lockdown of your personal financial data, but not of your health information.
The greatest risks to the security of our medical information are the vulnerability of the electronic systems housing the data and the skill of those seeking to exploit that vulnerability. Just last April, Symantec reported that a group called Orangeworm was conducting an orchestrated attack on the computer systems of healthcare companies in the U.S., Europe, and Asia. Symantec speculated that corporate espionage was the likely motive for the attacks, but patient data could be compromised—it’s hard to know the scope of potential damage, whether intentional or collateral, until it’s done.
This point is also illustrated by the growing market for anonymized medical data, which allows companies to legally buy and sell millions of medical records provided certain details like names, birth dates, and Social Security numbers are omitted. But, as a January 2017 article in Scientific American noted, Big Data and advances in computing make it possible to “re-identify” anonymized patients. There are no public records of hacks into anonymized medical dossiers, nor, except in academic research, of anonymized records being re-identified. But the potential for weaponizing such records—whether to undermine the career of a public figure or extort millions of dollars in a protection scheme—is the kind of macro issue to consider when determining how health data should be used and how it can be kept secure.
What We Can Do
We can’t control how institutional health records are protected, but we can choose how much medical information we reveal via healthcare portals and other channels. First, we must do the risk-return calculation of voluntarily sharing personal health information in exchange for direct benefits. Telemedicine, for example, is a rapidly developing area where voluntary disclosures of health information via a website can help people save both time and money. But who has that data? And how well will it be protected?
The SCOUT-Harris Poll revealed that only 36% of Americans currently use an online portal to access their personal health information. Among those who don’t, 39% expressed concerns about security. Interestingly, while millennials are famed for leading the technology revolution, our survey found that Americans aged 18 to 34 are less likely than those aged 35-plus to use an online health portal (28% vs. 39%, respectively). Is it because they’re healthier and have fewer healthcare interactions to keep track of? Or do they know something we older patients don’t?
Technology will continue transforming healthcare. But to realize the full power and efficiencies of technology-supported healthcare, including the growth of exciting new areas such as predictive medicine, we need better assurances that our personal medical information will be safe, confidential, and used only for our benefit.
That means urging healthcare organizations to comply with current protection guidelines and routinely perform comprehensive risk analyses to identify and respond to security vulnerabilities. It also means being prudent about what health information we share publicly and vigilant about monitoring and protecting it. In an era shadowed by cyber intrusion into all areas of our lives, the safety of our health data must be a priority.
Raffi Siyahian is a principal at SCOUT, a leading healthcare agency focused on orphan drugs and specialty pharma. He is the guiding force behind SCOUT Rare Insights, a new series of surveys examining topical issues from a healthcare perspective. The surveys will be conducted with The Harris Poll. Both companies are members of The Stagwell Group.
About the Survey
The inaugural SCOUT Rare Insights survey was conducted online within the United States by The Harris Poll from May 10-14, 2018 among 2,033 U.S. adults ages 18 and older. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables and subgroup sample sizes, contact Raffi Siyahian, Rsiyahian@findscout.com.