28th May 2013

Patient Data Breaches are Costly for Offending Institutions and Their Clients

Today I read an article about a data breach experienced by the Sonoma Valley Hospital in California. This one wasn’t caused, as many of them seem to be, by hackers getting out in front of the organizations IT framework and finding a way into their firewall. In this case, an employee inadvertently uploaded the health records of 1,350 patients connected with the hospital to the public part of their website. The patient records included information such as names, insurance information, and medical procedures. It was apparently a simple mistake, but one that could be costly for lots of people.

Medical Data Breaches are Expensive

Data breaches can be very expensive for healthcare institutions who aren’t careful enough.

It’s not hard to understand why publicizing confidential medical records is such a egregious mistake. The potential fallout includes everything from public embarrassment of patients and strains on the provider-patient relationship to severe financial damage to the healthcare institution and patients from identify theft and subsequent healthcare related fraud. Biometrics companies are nowinvesting in sophisticated iris scanners to mitigate access to and effects of healthcare related identity fraud.

Data Breaches Costly to Offending Institutions

When major security breach incidents occur, the offending institution has typically been forced to pay financially for its mistake. Idaho State’s disabled firewall at one of the clinics it operates, a breach which exposed 17,500 records, ended up costing the school more than $400, 000. Stanford Hospitals in 2010 was sued for $20 Million after a breach exposed records of almost 20,000 of its patients.

What About The Patients?

When an organization discovers that it has allowed access to medical records, it is forced by law to notify those who might be affected. HIPPA (Health Insurance Portability and Accountability Act) required organizations that find themselves involved in a data breach to notify those whose records and trust have been violated. In the best case, those whose medical records have been accessed by unauthorized people will be contacted by the institution and given instruction on what particular data was accessed and how best to prevent significant loss from the situation. In the worst case, a patient whose data has been compromised finds out only after receiving a bill for a mysterious medical procedure or doctor visit. Either way, a data breach is inconvenient at least, and most likely stressful, time consuming, and potentially damaging to credit, financial stability and peace of mind.

The only way to fully prevent personal data from being stolen is to never visit a doctor, hospital, or other caregiver who might be interested in your name, date of birth, and the reason you need help. This approach is pretty much impossible unless you have found a way to isolate yourself from society.

The next best thing is to monitor activity that is reported for your personal records, including pulling patient records. Patients can sign up for a monitoring service to be alerted each time some piece of information pings the system and automatically alerts them to something fishy happening with their personal data.

As long as modern society continues to use electronics methods for keeping track of records, which appears to be the unwavering trend, there will always be susceptibility to data breaches. Besides investing in a credit monitoring service, the only thing you can do practically is just hope that your own records don’t get exposed.