Stolen Healthcare Data on the Rise
Protecting Healthcare Data before There’s a Breach
In December 2015, the Louisiana Attorney General’s Medicaid Fraud Control Unit notified Louisiana Healthcare Connections (a Medicaid network) that it was investigating stolen PHI. It was revealed that back in March of that same year, someone who worked at a doctor’s office used someone else’s information to get onto the Louisiana Healthcare Connections (LHCC) website and download a member list. This stolen list was then given to a provider who should not have access.
The individual who stole the list was arrested on Wednesday, January 27, 2016. The charges laid involved scheming to defraud the state’s Medicaid program. Over 13,000 Medicaid patients had their information stolen in this situation.
The theft in this kind of story is all too common. Security experts say cyber criminals are increasingly targeting the $3 trillion U.S. healthcare industry – parts of which have not updated their data security practices or rely on older equipment and technology. Between 2009-2015 there were over 1280 recorded data breaches – with data theft as a common culprit. Unsurprisingly, medical data is increasingly valuable. According to the World Privacy Forum, the street cost for stolen medical information is about $50, versus $1 for a stolen Social Security number. The average payout for a medical identity theft is $20,000, compared to $2,000 for a regular identity theft.
Healthcare organizations and their business partners need to do a better job of protecting PHI. To protect PHI, healthcare organizations and their partners should take action now. Encryption is a common way to secure data – but encryption only goes for far. In the LHCC case, encryption didn’t prevent the thief from using someone else’s password and gaining access to the 13,000 records. A responsible way to protect PHI is using risk-based de-identification methods. While used primarily when sharing health data for use outside immediately serving the patient, it reduces the risk of re-identification to the lowest possibly threshold. If your data were to be leaked or stolen, risk-based de-identification ensures your chance of being identified based on that data is as low as possible.
- Turn Data Assets into Business Opportunity Under CCPADecember 19, 2019
- How does risk-based anonymization work?December 18, 2019
- Why should I use Expert Determination over Safe Harbor?December 18, 2019
- What do I need to know about GDPR, HIPAA and CCPA to meet our regulatory and privacy obligations?December 18, 2019
- Should we invest in building our own de-identification capability?December 17, 2019
- GDPR and The Future of Clinical Trials Data SharingMarch 18, 2019
- Advancing Principled Data Practices in Support of Emerging TechnologiesMarch 15, 2019
- “Zero Risk Does Not Exist”February 7, 2019
- Is Anonymization Possible with Current Technologies?January 9, 2019
- Comparing the benefits of pseudonymisation and anonymisation under the GDPRDecember 20, 2018