When choosing a medical provider, patients often want to know about the location of the hospital or clinic, the quality of the doctors and maybe what specialists are available on site. But increasingly there’s another question they need to ask: How well will my personal data be protected?
In this episode of the inewsource podcast we look at the theft of private patient records at hospitals throughout the country, including some right here in San Diego County where at least 30,000 patients have had their records compromised.
This podcast is still evolving and we want to know what you think. Comment on this post or email us and tell us what you like about the show, how we can make it better and what kinds of stories you’d like for us to cover.
In this episode reporter Leo Castaneda discusses medical data breaches with investigative assistant Megan Wood.
Leonardo Castaneda: Hey Megan, have you ever had something stolen?
Megan Wood: Yeah, I had my car broken into not that long ago.
Castaneda: How did you know you had something stolen?
Wood: You mean other than the broken glass and missing purse?
Castaneda: OK, well what if I told you there’s an industry that handles extremely valuable goods, goods that are often lost or stolen, and sometimes the victims don’t even know it. Here’s Eva Velasquez from the Identity Theft Resource Center.
Eva Velasquez: “Unfortunately, we feel that breaches are underreported. Not because the organizations don’t have integrity, but because they still don’t have the best practices in place to even know that they’ve been compromised.”
Castaneda: This is the inewsource podcast and today we’re talking about the health care industry.
Welcome to the inewsource podcast. inewsource is an nonprofit news organization that uses data and old-fashioned investigative journalism to dig deep on the issues affecting our community. The podcast expands on one of those recent investigative stories.
I’m Leo Castaneda and I’m joined today by Megan Wood.
Megan Wood: Hey there.
Castaneda: And Meg can you tell us a bit about what you do for inewsource?
Wood: Sure Leo. I’m an investigative assistant, as well as a multimedia producer, so I get to work on the visual aspects of stories.
Castaneda: So today we’re talking about the theft of protected medical records. Whether we’re talking about a huge hospital or a small community clinic, your personal data — things like your medical history, your treatments and medications, as well as your payment history and even your Social Security number, could be at risk.
Wood: Anyone handling private health information is required to report to the federal government all incidents where the medical records of at least 500 patients are compromised. Last year alone there were 261 reported breaches. That affected the records of more than 113 million patients.
Castaneda: 261 might seem like a lot, but like you said, that doesn’t take into account incidents just a couple hundred patients at a time. In fact, only big-name thefts tend to get a lot of attention in the media. If you’ve heard about data thefts at all you’ve probably heard of the hacking at Anthem that affected about 80 million patients.
But Meg, you looked at the breaches and found some San Diego health care providers that had incident in the last few years, right?
Wood: That’s right. There were five different providers with breaches that all together affected about 30,000 patients. Keep in mind there could be more victims of medical data theft locally. For example, we don’t know how many of those victims of the massive Anthem hacking live in San Diego County.
I tried to talk to the San Diego providers and none of them wanted to comment. Rady Children’s Hospital directed me to a statement on their website. Palomar Health in Escondido cited pending legal matters and the Tri-City Medical Center in Oceanside said the incident — a breach in late 2014 — happened too long ago to comment.
Two others, Graybill Medical Group in Escondido and American Sleep Medicine in Kearny Mesa, didn’t respond to my calls for comment.
Castaneda: Now, these breaches can be expensive. Really expensive. A study by the Ponemon Institute and IBM put the cost at about $360 per record stolen. That’s more than double the cost of a stolen record in the retail industry.
I talked to Abner Weintraub, he’s a principal researcher and an owner of the consulting company ExpertHIPAA.com. He says those costs come from what organizations have to do once they’ve had an incident.
For example, they might pay for credit monitoring for the victims. They might also need to go through their database with a fine-tooth comb to see what exactly was stolen and whether they might still be vulnerable.
If you do some back of the envelope math, a relatively small breach, maybe one affecting just 100 patients at a small clinic, would cost about $36,000. If you’re thinking that’s bad, but not that bad, think again. Here’s Weintraub:
Abner Weintraub: “The costs for smaller clinics and professional organizations in health care obviously are not as high but in some cases the damage to reputation is more severe than financial fines or penalties or financial costs.”
Wood: But the high costs aren’t really stopping the data breaches. In a survey last year, the Ponemon Institute found that nine out of 10 health care providers had at least one incident where patient records were compromised in the previous two years. And a lot of providers had more than just one incident, some more than five incidents, during that time.
Castaneda: A lot of these breaches are because of employee errors and lost or stolen computers. But last year Ponemon found that the number one cause for breaches were criminal acts. The number of health care providers affected by criminal attacks has more than doubled since 2010.
Weintraub thinks at least part of the problem is a missing metaphor. He says sure, hospitals and doctors know that the patient records are valuable. But they’re missing just how valuable. Hospitals, he says, think of themselves too much like libraries guarding books from shoplifters.
Wood: But for a data thief, these records are as good as cash. According to Weintraub a credit card with the magnetic strip can sell for one or two dollars on the black market.
Weintraub: “Health records can sell for anywhere from $10 to $15 on the low end, to $100 or $150 on the high end for each stolen health record.”
That makes medical records, which already might not be strongly protected, a tempting target for data thieves.
Weintraub: The important point is that organizations responsible for protecting health data think of themselves more like libraries and they have to keep the books there and they have to make sure no one walks off with a book in their pocket, or the hackers don’t come in and steal books, and they know they must be protected. But they need to start thinking of their collections of patient records as though they were banks, not libraries. And no one thinks a bank is out of line for putting armed guards at the door, or a heavy vault in place in a building, because they’re protecting cash.
Castaneda: Not only do most health care providers not treat their records like cash, sometimes they don’t even know if they’ve been robbed.
Velasquez: “Unfortunately, we feel that breaches are underreported. Not because the organizations don’t have integrity, but because they still don’t have the best practices in place to even know that they’ve been compromised.”
That’s Eva Velasquez, president and CEO of the San Diego-based nonprofit Identity Theft Resource Center. She told us that a lot of providers might think they don’t have to report a stolen computer with patient records because it was password protected.
Velasquez: Sometimes there’s this misconception that, well I’ve got the actual laptop password protected so they can’t break into that. That’s inaccurate.
Wood: We asked both of these experts what patients could do to protect themselves when their information has been compromised. They recommended steps like credit monitoring and even putting a freeze on your credit files.
Victims should also be wary of scammers that might hear about a breach and will contact victims pretending to be the breached organization. It’s always best to reach out to the affected company directly.
But Velasquez told us that one of the most important steps to take to protect yourself is to be wary of giving out information to health care providers who might ask for personal data they don’t actually need for the sake of convenience.
Velasquez: “All of this convenience, really it’s great, we’re all busy. It’s totally understandable that you want have these things go seamlessly, but once you’re a victim of identity theft, those extra protections seem like small potatoes compared to what you have to go through to clean up your good name.”
Castaneda: So, do actual patients think about their data security?
We wanted to find out, so we went to a couple of the hospitals in San Diego whose records were compromised to ask patients if they ever think about thefts of medical data:
Lauren Jurez: I know it happens I just hope it doesn’t happen here.
Jorge Solis: I don’t think there’s any people who would want to do that. I don’t find that as a problem.
Matthew Norris: I would hope that they would have it down pat, but I mean, it’s not really on my mind like that.
That was Lauren Juarez, she was at Palomar Health, Jorge Solis and Matthew Norris at Rady Children’s Hospital.
Wood: They told us that they don’t really think about someone hacking into their hospital and stealing their personal information.
Castaneda: Still, they realize these are important records in the hands of their doctors. Here’s Lauren again.
Juarez: That’s like my personal records, my daughter’s personal record.
We also asked them if they would change doctors if their personal records were compromised. We got some no’s, but at least one person, Jorge Soliz, said he would.
Solis: I probably would move hospitals or something like that.
That’s it for us today, I’m inewsource reporter Leo Castaneda
Wood: And I’m investigative assistant Megan Wood.
Castaneda: We also want to give a special thanks to David Wagner for our new theme song and credit music.
inewsource is a nonprofit investigative, data-driven news organization reporting on San Diego County. For more on this story and to support us go to inewsource.org. While you’re there sign up for our newsletter.
Wood: Tell us what you think about the show, email us at email@example.com or tweet at us, @inewsource.