Theft of patient information is an expensive and growing problem for health care providers that range from big hospitals to small community clinics.
And while breaches affecting tens of millions of customers tend to gather all the headlines, the problem is no less serious for the more than 30,000 patients in San Diego County whose records have been compromised since 2010.
Information analyzed by inewsource shows at least five health care providers in San Diego County had patient data exposed in that time period. Most of the providers either failed to respond to repeated inewsource calls for comment or declined to be interviewed about the incidents. One directed inewsource to a written statement.
Patient records are valuable to thieves because they allow them to use and create new credit cards, file false tax returns and even commit medical fraud. The breaches can occur in a variety of ways, from relatively sophisticated online infiltration to low-tech theft of an unwatched laptop computer.
Last year alone, 261 breaches of medical data occurred in the U.S., affecting at least 500 customers and 113.2 million patients, according to records published by the U.S. Office for Civil Rights.
Not all of those breaches were large: The average incident in California affected about 138,400 patients. Take out a single loss that affected more than 4.5 million patients at the University of California Los Angeles Health and the average drops to slightly more than 6,000 victims per breach.
But many more breaches may actually be occurring. At least one expert says organizations don’t detect all the times their data has been compromised.
Another factor that could affect the hospitals’ and clinics’ level of vigilance is the state of enforcement. The Office of Civil Rights can impose penalties of up to $1.5 million for a breach, and California can impose fines of up to $25,000 per stolen record.
However, the civil-rights agency’s records indicate only 30 percent of breaches since 2010 resulted in a federal investigation. And California, which can investigate all breaches no matter how small, only issued 33 violations last year, according to state Department of Public Health records.
It can be hard to track down where victims of a breach live. Federal incident records simply indicate the home state for the company involved. For example, the notorious breach of insurance company Anthem affected almost 80 million patients throughout the country, but it’s reported as an incident in Indiana.
Locally, Rady Children’s Hospital in San Diego reported two breaches in 2014 affecting more than 20,400 victims. Rady representatives directed inewsource to the hospital’s website for a statement about the incidents. In it, the hospital called both incidents “human error.”
An early 2014 breach at Escondido-based Palomar Health affected about 5,500 patients. The public health care district declined to comment, citing “pending legal matters surrounding this breach.”
Tri-City Medical Center in Oceanside reported a breach affecting 500 individuals in August 2014. Officials declined to comment because, they said in an email, the incident happened “so long ago.” A spokesman for the California Department of Public Health couldn’t confirm that the state had looked at that specific event, but it did investigate an August 2014 incident and was “in the process of determining whether it will result in an assessment of an administrative penalty.”
Two other health care providers — Graybill Medical Group in Escondido and American Sleep Medicine in Kearny Mesa — each had a breach affecting about 1,800 patients. Neither responded to repeated calls for comment.
Bitter medicine
The Ponemon Institute, a research organization focused on data protection and information security, placed the cost of data theft to the health care industry at $6 billion annually.
For health care providers — and the businesses that provide auxiliary services to them such as law firms, print shops and IT companies — even small breaches come with a significant cost.
Abner Weintraub is an owner and principal researcher for the consulting company ExpertHIPAA.com. He said surveys have placed the cost of a medical data breach at $100 to $250 per record compromised. A separate study from the Ponemon Institute and IBM placed the cost as high as $363 globally per record — more than twice as much as the average data-breach cost for all other industries.
“The costs for smaller clinics and professional organizations in health care obviously are not as high,” Weintraub said. “But in some cases the damage to reputation is more severe than financial fines or penalties or financial costs.”
According to Weintraub, the costs come from multiple steps providers have to take to respond to a breach. The organization has to inform patients and “minimize the damage.”
Responding to the damage
Consumers can take steps to protect their data if they believe it’s been compromised.- Closely monitor credit accounts and consider putting a freeze on credit files.
- Beware of identity thieves filing false tax returns.
- Beware of scammers pretending to be the breached organization.
- Contact the affected organization directly.
For many organizations, he said, that means providing a year or two of free monitoring of individuals’ credit accounts for unusual activity.
Despite high costs, 91 percent of health care organizations surveyed by Ponemon had at least one breach in the previous two years. Forty percent had more than five breaches during that time.
Weintraub said a possible reason hospitals and medical centers continue to be breached is that they don’t realize the value of the information they hold. While they no doubt realize that records are valuable to patients and important for good medical care, they don’t realize that “health records are cash to criminals.”
Ponemon found that criminal attacks are now the number one cause of medical breaches — going from one in five organizations reporting a criminal attack in 2010 to almost half last year. That has moved it just ahead of lost or stolen computers and employee errors.
According to Weintraub, a credit card with a magnetic stripe might sell for $1 or $2 on the online black market for stolen personal data. “Health records can sell for anywhere from $10 to $15 on the low end to $100 or $150 on the high end for each stolen health record,” he said.
Not only do most health care providers not treat their records like cash, sometimes they don’t even know if they’ve been robbed.
“Unfortunately, we feel that breaches are underreported,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center, a San Diego nonprofit. “Not because the organizations don’t have integrity, but because they still don’t have the best practices in place to even know that they’ve been compromised.”
Even with a lost or stolen computer, organizations may not realize patient information has been accessed without permission.
Velasquez and Weintraub emphasized that password-protecting a laptop isn’t nearly enough to keep it from being accessed. That’s especially true when, as Velasquez pointed out, one of the most common passwords is still “password.”