Why Medical Records Are Tempting Targets for Cyber Crooks

The information that is collected and stored by healthcare providers and by health insurance companies includes incrdibly detailed information about our lives. In the U.S., insured patients are identified by social security numbers and birthdates, as well as full names. Our records include our current phone numbers, mailing addresses, physical addresses, email addresses, and all the same contact information for our next of kin and our closest friends and family members. This information also includes specifics about our current employer and how long we have been employed and on that employer’s insurance plan. These records also include our insurance member IDs. All of this information is sufficient for a crook to steal someone’s identity, to gain access to their accounts, to apply for and gain credit using our names, to begin piling up bills, to damage credit ratings, and to make our lives hell. Identity theft is much more difficult, costly, and time-consuming to combat than credit card fraud or than having a single bank account compromised.

This wealth of personal information also makes it incredibly easy for crooks impersonating healthcare services providers to bill insurers, including large federal payers, for medical and ancillary services (transportation, therapy, medical appliances) that were probably never provided, collecting millions of dollars in reimbursement before they’re ever found out. Medicare and Medicaid fraud is already a multi-billion criminal enterprise. The Economist called it “the $272 billion swindle” in May, 2014:

“Health care is a tempting target for thieves. Medicaid doles out $415 billion a year; Medicare (a federal scheme for the elderly), nearly $600 billion. Total health spending in America is a massive $2.7 trillion, or 17% of GDP. No one knows for sure how much of that is embezzled, but in 2012 Donald Berwick, a former head of the Centres for Medicare and Medicaid Services (CMS), and Andrew Hackbarth of the RAND Corporation, estimated that fraud (and the extra rules and inspections required to fight it) added as much as $98 billion, or roughly 10%, to annual Medicare and Medicaid spending—and up to $272 billion across the entire health system.”

The $272 billion swindle: Why thieves love America’s health-care system, The Economist, May 31, 2014

The Anthem Hack: The Largest Health Information Data Theft in U.S. History

This month, Anthem Blue Cross customers fell victim to the largest reported health information data breach. The records for 80 million customers were stolen, including customers from Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare and HealthLink. The data breach also affects BlueCard members. The Blue Cross and Blue Shield Association's BlueCard is a national program that enables members of one Blue Cross and Blue Shield Plan to obtain healthcare services while traveling or living in another Blue Cross and Blue Shield Plan's service area.

Among those affected are also Federal employees, possibly including members of Congress.  The Federal Employee Health Benefits (FEHB) program is the largest employer-sponsored health insurance program in the U.S. Federal employees can choose from 300 different private healthcare plans, including Blue Cross and Blue Shield coverage from Anthem. Perhaps some of our senators and congressmen and their families will gain first-hand experience in dealing with the very real threat of identity theft. But the sad fact is that most of them are so wealthy they have probably opted for one of the higher-end HMO insurance plans offered under FEHB. So they may continue to ignore this very real threat to U.S. citizens’ personal security.

What information was stolen? Customers’ names, dates of birth, member IDs, social security numbers, addresses, phone numbers, email addresses, and employment information. Precisely the information required to create a cloned identity.

Customers are also worried about the breach of their highly personal medical records. According to Anthem, “our investigation to date indicates there was no diagnosis or treatment data exposed.” That may or may not be reassuring for anyone whose medical records contain highly sensitive information.

The Anthem Hack Should Spur Big Changes in Insurance & Health Care IT Practices. But it probably won’t. We, the people, have become so accustomed to constant reports of massive cyber thefts, we’ve stopped being outraged. We’re boiling frogs.

In an article in Modern Healthcare, entitled: “Experts doubt Anthem breach will boost security spending,” Joseph Conn reported:

“Although a massive security breach like Anthem's seems as though it would spark a consumer uprising that would force healthcare leaders and elected officials to act, it probably won't, cybersecurity experts say. ‘I'll be surprised if this will be a Chernobyl,’ said Fred Cate, a law professor at Indiana University and a cybersecurity expert…..

A study released last summer by the Ponemon Institute found that in 2012 and 2013, 90% of healthcare organizations saw their patients' data exposed or stolen. And yet, only 23 instances of privacy and security rule violations under the Health Insurance Portability and Accountability Act have led to financial penalties or agreements with monetary settlements, according to federal statistics….

Dr. James Madara, CEO of the American Medical Association, expressed hope that the recent breaches will lead to greater security spending. Data security hasn't made many top-five problem lists among healthcare organizations, Madara said. The Anthem breach “will bring some light to that. If cybersecurity isn't something that's at the top of your list as an insurer or an integrated system, it has to get there very quickly.”

Joseph Conn, Modern Health Care, February 10, 2015

Rx: Separation of Concerns & End-to-End Encryption

I’m no security expert, but common sense and recent learnings have made me realize that the largest causes of data breaches occur when the bad guys manage to gain the access to information that only trusted employees are supposed to have. There are three ways to thwart that:

1. No employee has access to ALL of customers’ information. Customers’ information is segregated based on need-to-know to do your job.
2. Encrypt all customer data, end-to-end. Use single-use tokens. 
3. Remove information that can lead to identity theft. Perhaps health insurers and hospital and doctors’ offices don’t need our social security numbers. Why can’t our insurance member IDs suffice to grant us treatment and provide proof of insurance?

Don’t Limit Customers’ Access to Their Own Medical Records!

The backlash I fear is that if regulators and legislators, and healthcare systems and insurers start paying more attention to cybersecurity, they will limit patients’ access to their own records.

This would be a huge step backwards.

We are just now in the infancy of the empowered patient movement. Many of us now have online patient portals we can use to access some of our current medical records, see lab test results, request prescription renewals, see the analysis of x-rays and MRIs, and, most important, check the accuracy of our medical records.

HIPAA Is Not Patient-Centric. In the U.S., patient information privacy regulations have been driven by our health insurance industry; not by patients, nor by our physicians. Physicians are very conscious of the need to maintain patient privacy. Insurers want to know everything so they can limit their risks.

Yet, patients do have rights. Under the Health Insurance Portability and Accountability Act (HIPAA), patients have the legal right to obtain copies of all of our medical records, to ensure their accuracy, and to make corrections to them if we find errors. We should also have the right NOT to have our social security numbers and employer information stored with our medical records.

Let’s hope that the Anthem data breach does provide a wake-up call: one that puts more power in the hands of the patients, and requires health insurance companies to segregate, isolate, and encrypt our information end-to-end. What patients care about is access to and accuracy of their medical and health information. How the treatments are paid for and reimbursed should be kept separate. At the very least, my employer and my social security number do not belong in my medical records.