Stolen Healthcare Data on the Rise

Protecting Healthcare Data before There’s a Breach

In December 2015, the Louisiana Attorney General’s Medicaid Fraud Control Unit notified Louisiana Healthcare Connections (a Medicaid network) that it was investigating stolen PHI. It was revealed that back in March of that same year, someone who worked at a doctor’s office used someone else’s information to get onto the Louisiana Healthcare Connections (LHCC) website and download a member list. This stolen list was then given to a provider who should not have access.

The individual who stole the list was arrested on Wednesday, January 27, 2016. The charges laid involved scheming to defraud the state’s Medicaid program. Over 13,000 Medicaid patients had their information stolen in this situation.

The theft in this kind of story is all too common. Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry – parts of which have not updated their data security practices or rely on older equipment and technology. Between 2009-2015 there were over 1280 recorded data breaches – with data theft as a common culprit. Unsurprisingly, medical data is increasingly valuable. According to the World Privacy Forum, the street cost for stolen medical information is about $50, versus $1 for a stolen Social Security number. The average payout for a medical identity theft is $20,000, compared to $2,000 for a regular identity theft.

Healthcare organizations and their business partners need to do a better job of protecting PHI. To protect PHI, healthcare organizations and their partners should take action now. Encryption is a common way to secure data – but encryption only goes for far. In the LHCC case, encryption didn’t prevent the thief from using someone else’s password and gaining access to the 13,000 records. A responsible way to protect PHI is using risk-based de-identification methods. While used primarily when sharing health data for use outside immediately serving the patient, it reduces the risk of re-identification to the lowest possibly threshold. If your data were to be leaked or stolen, risk-based de-identification ensures your chance of being identified based on that data is as low as possible.

Free Webinar: De-Identification 101

Join Privacy Analytics for a high level introduction of de-identification and data masking.
Watch now

Free Download: De-Id 101

You have Successfully Subscribed!