Health care cyber security lags behind other industries, experts said, leaving patients vulnerable to data breaches and without much recourse when their private information is exposed.
One security expert estimates that one in three Americans had their personal health information exposed in 2015, a year that saw four of the five largest health network breaches in history.
The largest health care privacy breach in Ohio occurred in Springfield late last year when a contractor working for Community Mercy Health Partners inadvertently disposed of more than 113,000 medical records in a public recycling bin.
A 2009 law was supposed to strengthen government oversight of health care providers, but at least one of its key provisions hasn’t been implemented and the U.S. Department of Health and Human Services’ Office of Civil Rights was called out by its Inspector General last year for not being proactive enough.
Since then, health care providers have reported more than 1,400 large breaches that involved more than 500 individuals, affecting more than 155 million people. The office has also investigated more than 125,000 smaller breaches and complaints.
Fines — the federal government’s most severe enforcement tool — have been assessed just 31 times. In the vast majority of cases, the government provided assistance to the entity to voluntarily correct or improve privacy procedures.
“What’s the state of enforcement? It’s pretty weak,” said Gary Pritts, founder and president of the health technology firm Eagle Consulting Partners in Cleveland.
Largest breach in Ohio
The November incident in Springfield was the largest in the state since tracking began in 2009, according to federal data.
It was also the third-largest improper disposal case in the nation and the fifth-largest involving paper records.
The number of individuals affected by the breach is much lower, Community Mercy said, because in many cases multiple records belonged to the same person. Spokesman Dave Lamb couldn’t provide an estimate of how many patients were affected.
It was the second breach CMHP reported in 2015.
In April the Springfield hospital alerted patients to a data breach involving invoices for about 2,000 people inadvertently sent to six individuals.
There’s no indication the information exposed during either breach was exploited, CMHP has said.
Letters were sent to all affected individuals with one year of free credit monitoring offered to those whose records contained Social Security Numbers or other sensitive information.
“We certainly did not intend for either incident to occur … But we have done everything that we can to mitigate the harm and ensure that we’ve got stronger processes in place to prevent this type of violation,” said Deborah Reif, Community Mercy corporate responsibility and privacy officer.
CMHP has increased education for employees and improved signage regarding proper disposal of documents. The hospital also no longer contracts with the individual responsible for the latest breach.
A lot of the paperwork involved was already scanned into its computer system, Reif said, a process intended to cut down on the amount of paper the hospital stores.
“Unfortunately the leaders that were responsible for retaining those documents did not understand that once they were electronically available, they no longer had to be retained in paper form,” she said.
The hospital system has re-educated its employees on scanning documents then properly destroying the physical copies after 90 days.
Large breaches on the rise
Both of the Community Mercy breaches last year involved human errors, but increasingly the war on health care data is waged in cyberspace.
Four of the five largest breaches occurred in 2015 and were the result of someone hacking a network server. That included the largest — a massive attack on Anthem that affected about 78.8 million people nationwide and about 5 million consumers in Ohio.
Hacking was behind a record 57 large breaches last year.
CMHP, which is part of the massive Mercy chain that’s the eighth largest employer in Ohio, invests heavily in state-of-the-art cyber security systems, Reif said.
“There are constant attempts on every health care organization. Every one in the industry gets hit multiple times a day and those attempts are all thwarted because of our technology and because of our vigilance,” she said.
But smaller companies can’t always afford the latest and best network security, according to Pritts. His consulting firm has helped more than 1,000 organizations improve network security and comply with the Health Insurance Portability and Accountability Act.
It can be a tough sell because no matter how much money is spent, no one can 100 percent guarantee they won’t be hacked, he said.
“There are enormous computer insecurities across the health system,” Pritts said. “In general the organizations … they do not spend the money to tighten up the systems.”
Smaller breaches hard to track
Nearly 99 percent of HIPAA complaints filed aren’t the large breaches, but much smaller incidents usually involving human error. Those complaints are increasing each year as well.
The government doesn’t make a database of smaller breaches available to the public, but Propublica.org has compiled a database of complaints through records requests. The Springfield News-Sun has requested but not yet received complaints in Ohio for the past five years.
At least two additional complaints have been made against Springfield Regional Medical Center, one in 2012 and one in 2014, according to Propublica’s data.
The 2012 incident involved a fax error, Reif said, and the hospital took corrective action before the federal government contacted it. The 2o14 complaint was found to be unsubstantiated, she said.
Springfield Manor Nursing Home had three HIPAA compliance complaints in 2012. No details of the complaints are available in Propublica’s database and the nursing home didn’t return calls for comment.
VA medical centers have their own complaint system in addition to reporting through the Office of Civil Rights. Propublica’s database shows 30 complaints at the Dayton VA Medical Center, many involving records mailed to the wrong person.
In most of those cases the VA notified the affected individual with a letter, and in 11 cases offered credit monitoring. Three were found to be unsubstantiated.
“Our veterans place in us a sacred trust to protect them and their privacy. As many of us are veterans ourselves, we do not take violations of that trust lightly,” Dayton VA Public Affairs Officer Ted Froats said. “In the rare cases where such an incident occurs, we notify the veteran immediately and put safeguards in place to minimize the possibility of it happening again.”
In September, the HHS Inspector General issued a report that criticized OCR for not being proactive enough in preventing privacy breaches.
“OCR oversees covered entities’ compliance with the privacy standards primarily by responding to complaints, tips or media reports of possible noncompliance,” the report says.
It noted that the agency hadn’t fully implemented a required audit program that could identify problems before breaches.
“Banking, the computer security requirements are such that there’s a mandatory audit that needs to be done and submitted. There is no such requirement in the health care space,” Pritts said.
The report also recommended the federal agency improve its documentation of corrective action, continue to improve education efforts and develop a system for employees to track an organization’s history of complaints.
The Health Information Technology for Economic and Clinical Health Act went into effect in 2010 and mandated that OCR create an audit program within one year.
The agency conducted its first pilot in 2012, auditing about 115 companies.
In its response to the September report, OCR said a permanent audit program was in the works for 2016 and noted a lack of resources to implement all the new requirements under the law.
“It’s been a long-stalled effort,” Pritts said.
OCR representatives didn’t respond to questions, including about the status of the audits.
Pritts finds issues all the time when he evaluates clients for HIPAA compliance and believes the government would, too, if it looked.
“If there was some more enforcement, certainly things would improve,” he said. “It does not seem that this is one of the government’s priorities.”
The audit program could pay for itself, Pritts said, if health organizations were fined for noncompliance.
Many in the industry point out that big data and health care have only been synonymous for about the past five years, meaning the systems and enforcement are still growing and maturing.
“Having a wealth of cyber data is recent for health care,” said Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance.
Hospitals haven’t been out front in terms of innovating to protect against fraud like banks were several decades ago, experts said, but it’s a much more complex industry.
In most cases, especially those involving hacking, organizations don’t have a willful disregard of the law, Reif said.
OCR looks to see that all efforts have been made to follow procedures and correct errors, she said.
“That those risks have all been mitigated to the extent possible, they are generally satisfied with that,” Reif said.
Little recourse for patients
Some patients affected by local breaches said they were left with more questions than answers.
“A letter’s not going to save my kids from identity theft,” Lisa Cornelison said.
She received notification from CMHP that information was exposed on the medical records of her and her three children. She’s most worried about her young adult daughter, who’s working hard to build good credit.
“I don’t know how easy it would be for someone to access our (insurance information),” Cornelison said.
Kelly Miller, of Springfield, said a notification letter wasn’t good enough. She wants to see the exposed records.
“This is 100 percent unacceptable,” she said. “Have the courtesy of getting us our records back.”
Community Mercy has provided a copy of the documents to every patient who has requested it, the hospital said. Affected patients can request a copy by calling 877-810-8083. The toll-free number will remain in effect until April 24.
Miller is one of several local people who told the News-Sun they have contacted lawyers about recourse options. But those options are limited, Springfield attorney Dan Harkins said.
The largest settlement agreement reached by the federal government in a HIPAA violation case came in 2014 when New York Presbyterian Hospital and Columbia University agreed to pay a combined $4.8 million after failing to secure a network server, exposing medical records for 6,800 individuals on the Internet.
The patients themselves didn’t get that money. When the Office of Civil Rights imposes a civil monetary penalty, the government collects it.
Individuals who believe they have been wronged under HIPAA don’t have the ability to sue under that federal law or the HITECH Act, Harkins said.
Some states have allowed cases under separate state statutes, such as negligence, but even then the burden of proof is high.
“In order to collect you’d have to prove a causal link to actual damages,” Harkins said.
Protecting your information
Medical identity fraud can be particularly harmful, Patterson said.
Patients can find that someone who accessed their insurance information has maxed out their coverage limits for the year. A victim’s medical information can become co-mingled with the thief’s as well, such as wrong blood types or allergies listed.
“Over 20 percent of medical identity theft victims experience some form of negative health outcome,” Patterson said.
While individuals can’t do much to control someone hacking into their insurance company’s network, experts say there are ways to help protect yourself.
- Don’t put your Social Security Number on medical forms. Security experts advise hospitals and doctor’s offices not to ask for this information anymore. And just because there is a space for a Social Security Number on a form doesn’t mean you have to fill it in.
- Carefully review all Explanation of Benefits and bills from health care providers. Immediately report any incorrect items or charges.
- Periodically check with physicians to ensure the accuracy of medical records. Look for incorrect details like inaccurate blood type or allergies, which may belong to an identity thief.
- Protect your medical information like your bank account. Avoid over-sharing on social media, don’t give out medical information over the phone or email and shred old documents at home.
- If you wear a personal health device or use mobile apps to track your health and fitness, know how that company stores and protects your personal data. Most of those companies aren’t regulated like a health plan or doctor.