27 Feb What are the Consequences of a Medical Record Breach
Medical records provide crucial health information for providers to accurately and effectively offer patient care. As technology progressed, so did the management of sensitive health information. While in the days of yesteryear, medical records were completed and stored on paper — the digital age revolutionized everything.
Over time, electronic Protected Health Information surfaced as a way to manage patient records. Academic medical centers were the first to establish successful systems for electronic health records — and it took nearly 30 years for a near-complete shift in practice. The pivot toward electronic medical records was a necessary change; however, it brought with it an entire slew of issues regarding security.
Medical record breaches have been a constant issue for covered entities and business associates alike. As the technology opened up new doors for opportunity, more security issues emerged as well.
What Is a Medical Record Breach
Breaches in medical records can refer to a wide range of security issues that endanger a patient’s confidentiality and trust in an organization. At its core, a data breach occurs anytime information is accessed without authorization — which can occur in a myriad of ways.
The biggest threat to medical records is hacking, as 2019 saw the number of breaches more than double the previous year with hacking as the prime suspect. You may be wondering why cyber crimes such as hacking are such a widespread problem, and it really comes down to money. Hackers can profit off of sensitive information by stealing identities and even selling patient data on the dark web.
Data is power in the modern world — and access to sensitive data can be an extremely profitable enterprise.
How Does a Breach Happen?
Research suggests that more than half of the 2019 medical record breaches were due to hacks. There are a number of ways in which a deliberate breach can occur.
- Phishing refers to a type of cyber attack where an email, phone call, or text message is weaponized as a way to lure an individual by posing as a legitimate institution. Phishing attempts to gain trust and trick an individual into offering up sensitive data such as bank information, passwords, and even Social Security Numbers.
- Malware or ransomware is another popular type of cyber attack. It’s like a trap, where spam or deliberate emails utilize social engineering to trick individuals into clicking links or opening attachments which can infect their device. These cyber attacks prevent people from accessing their files or data and are extorted into paying to regain access.
- Data theft can refer to a wide range of ways in which an individual may steal sensitive data. Whether it be a lack of encryption, password cracking, careless privacy practices, and even device theft itself — data theft can leave organizations vulnerable to lawsuits and serious breach issues.
Now, these aren’t the only ways that hackers may try to gain access to sensitive patient information, but they are some of the most common ways that data breaches have occurred over the last few years. Because the components of a medical record can often include far more than just medical information, the sensitive nature of the data cannot be underestimated. Proper security measures, encryption practices, and overall diligence toward HIPAA compliance standards can help keep everyone safe.
Why Are Data Breaches so Costly?
While covered entities and business associates have an obligation to their patients to maintain security measures that prevent data breaches — they also need to protect their costs. The consequences of a data breach can be extremely expensive.
According to recent reports, data breaches in the healthcare industry average a $6.5M price tag, which is over two million dollars more than other industries. Data breaches often affect a large population of patients, and to put that into perspective, that’s over $400 dollars per patient record.
According to Wendi Whitmore, a Global Leader for IBM’s X-Force Incident Response and Intelligence services, over 11.7 billion records have been stolen or lost in the past three years. That astounding number is only a small indicator of the problem, as medical record breaches are continuously costing the medical field a massive fee.
Three of the Largest Medical Record Breaches Last Year
2019 saw one of the largest upswings in data breaches. The year was plagued with some absolutely enormous breaches that left healthcare providers scrambling.
Let’s take a look at three of the largest breaches that occurred in the healthcare field last year.
AMCA
The American Medical Collection Agency (AMCA), a massive billing services vendor, was hacked for roughly eight months. After the breach came to light, a number of covered entities reported their patient data was compromised, including medical information, personal and financial data, and Social Security Numbers.
The breach caused AMCA’s parent company to file bankruptcy, and the billing service vendors are faced with multiple lawsuits and investigations.
More than 26 million patients were affected by the hack.
Dominion National
Some breaches can take years to uncover. This was the case with Dominion National, which after an internal alert, discovered that a nine-year breach had affected nearly 2.96 million patients. The hack slipped through the cracks and was not diagnosed until April of last year.
Enrollment, plan producer and health provider data, demographic information, along with dental and vision benefits, were all compromised.
Inmediata Health Group
While data breaches are an unfortunate and extremely costly problem, the way they are handled can say a lot about a healthcare company. Inmediata is a prime example of what not to do. The breach was uncovered in January, but patients weren’t notified until April. The provider even mailed patients the wrong letters during the notification process by mistake.
The breach largely came as a result of negligence and left the patient’s demographic information, personal information, and medical claims data vulnerable. Over 1.5 million consumers were affected by the breach.
What Are the Penalties of a Medical Record Breach
As you’ve noticed, a medical record breach is an expensive problem to have. HIPAA doles out four tiers of penalties depending on the severity or response of the covered entity’s failure to protect health information.
First Tier
Penalties can range from $100-$50,000 per incident (up to $1.5M). First tier penalties are given when a covered entity did not or could not have known about a breach.
Second Tier
These penalties can range from $1,000-$50,000 (up to $1.5M) per incident. In this tier, through proper diligence, the covered entity either knew or should have known about the breach — yet it is still not considered willful neglect.
Third Tier
Ranging from $10,000-$50,000 (up to $1.5M) per incident, these penalties are given when a covered entity acted with willful neglect but corrected the breach within 30 days.
Fourth Tier
These penalties are at least $50,000 per incident (up to $1.5M) and are for willful neglect without any proper corrections made in a timely fashion.
A Final Word
Medical record retrieval is an important process for many business associates working closely with providers and covered entities. These can include law offices or insurance companies that need access to client’s medical information for cases and claims — and still must adhere to strict HIPAA guidelines.
Breaches can affect more than just providers, and it’s important that businesses working closely with sensitive data understand the cost of negligence.