As per data released by the Identity Theft Resource Center (ITRC), during 2015 (as of December 1, 2015), out of the total data breaches reported, around 35 per cent were from the medical/healthcare industry. Although, the total breaches stood at 717, and medical/healthcare industry saw breaches of 248 during the year, what is worrying is that from the total number of records compromised, almost 68 per cent records were medical data. A whooping 120,077,576 medical records were compromised out of the total 176,275,271 data during the period.
Obamacare has encouraged health data, relying heavily on patient information, passed on through electronic medium. It has, subsequently, opened a channel for cyber criminals to steal unprotected sensitive data from various health / medical channels including hospitals or insurers.
How is medical identity theft denting the industry?
Impact of medical identity theft on healthcare providers is considerable—both in terms of loss of revenue and reputation. In most cases, medical data theft may lead to personal financial loss for patients, and, if the providers are not able to safeguard such information, patients may switch their providers, leading to revenue loses, together with denting the reputation of the organization. With this, even the loyalty of the customers gets into a negative zone.
Also, calculating HIPAA data breach costing is not a singular process. A healthcare organization is left with incurring exponential costs for notifying patients about data breach, while damage mitigation could spiral the cost further upwards. Failure to undertake adequate security and privacy measures for protecting medical records is also leading to financial penalties being implemented on healthcare organizations.
Unsecured medical data has even left healthcare giants susceptible to data theft. Over the last year, healthcare organizations such as Anthem, Inc., Premera Blue Cross, Excellus Blue Cross Blue Shield / Lifetime Healthcare, and UCLA Health have reported breaches putting personal records of nearly 113,100,000 members at risk.
Such breaches translate into government fines, class action lawsuits, and loss of patients. Healthcare organizations face a penalty from HHS of up to USD 1.5 million for such violations, while the Federal Trade Commission may impose a fine of around USD 16,000 per violation. With this, if there are lawsuits, healthcare providers may end up paying for damages caused due to fraud, invasion of privacy, negligence, violation of medical confidentiality, breach of contract, unjust enrichment and unlawful business practices.
Why should you worry about medical identity theft?
For ensuring cyber security, Health Insurance Portability and Accountability Act (HIPAA) mandates all healthcare providers to observe physical, network and process security. Further, as per Health Information Technology for Economic and Clinical Health (HITECH) Act, all the organizations who are in the healthcare domain are required to communicate with individuals if 500 or even lesser records are compromised. In case more than 500 medical records have been compromised, media and ‘Secretary of Breaches’ have to be notified under the Breach Notification Rule.
With electronic medical records, data breaches are accompanying reality. While eliminating the risks might not be feasible, mitigating it could certainly be undertaken through secure systems.
This might be a great cautioning for chief executives managing orgnizations dealing with medical records. It might be one of the focus areas for the CEOs for setting up the agenda as well as prioritizing IT security as a part of the core business activity. IT security breach might result into large financial losses. With this, loss in credibility might also have huge impact on business performance together with failing client trust.
What should you do?
In a scenario where massive and highly publicized attacks had been conducted on big healthcare providers, for CEOs of the companies, IT security has become a critical issue and commands the same weightage as financial performance of an organization. In the current time, the two – finance and security – have become closely aligned.
Healthcare organizations have been focusing on spending on softwares for detecting as well as mitigating fraud, as per the survey conducted by Medical Identity Fraud Alliance.
Healthcare providers have to be responsible for protecting confidential information, which includes medical records of patients. They have to be cognizant of selecting an electronic medical records management team which is HIPAA compliant. This provides huge relief to the organizations from data breaches and reduces the risk for the patients.
With Avancer’s Advisory Services and a range of solutions, healthcare organizations could safeguard themselves by complying with regulatory requirements. It includes measures to prevent cyber-attacks, employee breaches and inadequate firewalls, along with safely sharing data with third parties, accessing data through wireless computing, among others.