Medical Data Theft: Is There an End in Sight?

   (RPC) – 4/7/2015 - Details continue to emerge about the data breach reported last month by Premera Blue Cross, a breach which involved the personal medical records of roughly 11 million people. Some of those records go back more than 14 years. Premera's plight, unfortunately, is emblematic of a much broader crisis in health care data theft that has been building ever since the push toward digital health care record began – a situation which more than just a few of us in the media had raised questions about at the time.
   In February, 2015, insurance giant Anthem, Inc., reported the theft of data in December of 2014 involving an estimated 80 million current and former members, putting at lifetime risk anyone who has ever been a customer of Empire Blue Cross and Blue Shield, Caremore, Amerigroup, Unicare, Healthline, DeCare, Anthem Blue Cross and Blue Shield, and Blue Shield of Georgia.
   The Anthem theft is widely seen as one of the largest data thefts in U.S. history.
   While there is speculation on precisely what data was taken in the Premera Blue Cross case, the company cites Social Security numbers, clinical information, bank account information, birthdays, the names of applicants and their family members, and other contact and identification numbers as among the type of information that was stolen. Anthem said it does not have a reason to believe bank or credit card information was stolen, but does site income information, birth dates, Social Security numbers, email and address information.
   Premera is currently facing at last five separate class action suits. Anthem is facing numerous lawsuits as well, including one filed by St. Louis County in Missouri against Blue Cross Blue Shield. Three suits were filed against Anthem within a day after the breach was made public.
How sophisticated were the attacks? Not a sophisticated as they would have you believe, experts say.  In the Anthem incident, the company altogether avoided the encryption of sensitive customer data, with data thieves apparently making us of simple email “phishing” attacks, aimed at several employees which network access.
   In both cases, thieves were able to steal some of the most valuable data there is – people's Social Security numbers, birth dates, and addresses – data that rarely if ever changes and which can be used to commit fraud for many years to come.
   According to the Fifth Annual Study on Medical Identity Theft, the medical identify theft problem grew by approximately 22 percent this past year. The massive Anthem and Premera breaches will likely bump the percentage higher yet again this year. 
   The Secretary of the U.S. Health and Human Services Office for Civil Right is required by section 13402(w)(4) of the HITECH Act to post a lit of security breaching involving “unsecured protected health information affecting 500 or more individuals.
   A summary of the largest breaches since 2010, by name of covered entity and individuals affected, is as follows:
  • Anthem Inc. Affiliated Covered Entity (78,800,000).
  • Premera Blue Cross (11,000,000)
  • Science Applications International Corporation (4,900,000)
  • Community Health Systems Professional Services Corp. (4,500,000)
  • Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group (4,029,530)
  • Xerox State Healthcare, LLC (2,000,000)
  • IBM (1,900,000)
  • GRM Information Management Services (1,700,000)
  • AvMed, Inc. (1,220,000)
  • Montana Department of Public Health and Human Services (1,062,509)
  • Blue Cross Blue Shield of Tennesseek Inc. (1,023, 209)
  • Sulter Medical Foundation (943,434)
  • Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey and its affiliates (839,711)
  • Iron Mountain Data Products, Inc. (800,000)
  • Utah Department of Technology Services (780,000)
  • AHMC Healthcare Inc. and affiliated hospitals (729,000)
  • Eisenhower Medical Center (514,330)
  • Triple-S Management, Corp; Triple-S Salud, Inc. (475,000)
  • Affinity Health Plan, Inc. (344,579)
  • Southerland Healthcare Solutions (342,197)
  • Emory Healthcare (315,000)
  • Touchtone Medical Imaging (307,528)
  • Shred-It International Incorporation (277,014)
  • Seacoast Radiology, PA (231,400)
  • Southern California Department of Health and Human Services (228,435)
  • Indian Health Service (214,000)
  • Digital Archive Management (189,489)
  • RCR Technology Corporation (187,533)
  • Millennium Medical Management Resources, Inc. (180,111)
  • Walgreen Co. (160,000)
   Of the top 100 largest data theft incidents to date, a quick count suggests that approximately 29 involved a compromised network server, eight involved computer desktops, 19 involved laptop computers, 23 involved some other type of portable device, 12 involved paper/films, three involved email, and seven involved some other type of electronic medical records.
   What do thieves want with your medical records? The answer is apparent in at least one other troubling trend this year, that being tax refund fraud, which has been reported at escalating levels nationwide. In addition to filing fraudulent tax returns,the U.S. Federal Trade Commission warns: “A thief may use your name or health insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care. If the thief’s health information is mixed with yours, your treatment, insurance and payment records, and credit report may be affected.”
   Is there an end in sight to the health care and medical data theft trend, or has Pandora's Box been forever opened? Only time will tell.
   For further reference, see:  U.S. Department of Health and Human Services Office of Civil Rights Breach Portal; or the Federal Trade Commission - Medical Identity Theft.