Are Your Health Records at Risk?

Wednesday, December 14, 2011

Christopher Burgess

16443e0c6f6e4a400fd0164b3c406170

In October I read a disturbing headline, "Patients put off treatment due to NHS data breaches," and was rendered slack-jawed.

The UK's National Health Service, has according to the UK's Information Commissioner's Office suffered regular data breaches resulting in the loss or mishandling of millions of patient records in 2011.

Before we sigh in relief as to how it isn't the U.S. being discussed, know the UK isn't alone in the loss of Personal Health Information (PHI), as throughout the U.S., hospitals and care-givers are losing patient PHI on a far too regular basis.

As I discussed in my piece, "Patient Data: The Crown Jewels" in the first half of 2011, more than five million (5,000,000) PHI records were lost or mishandled in the U.S., 100 percent of which were preventable. Meanwhile, recently we read in SC Magazine's Data Breach Blog how a Delaware pediatric health facility lost data on 1.6 million patients.

Then we learned of the astounding loss of approximately five million PHI records of Tricare patients, and we soon arrive at the very worrisome realization; the total is well beyond 11 million PHI records compromised thus far in 2011.

So should we be concerned when more than 3.5 percent of the entire U.S. population has had their PHI compromised? Yes.

A SailPoint Market Plus Survey conducted by Harris Interactive released in September 2011 is instructive and should serve as a barometer of sentiment to the medical profession:

  • 29 percent of Americans, 26 percent of Britons and 26 percent of Australians expressed concern their PHI may be exposed on the internet.
  • 35 percent of Americans, 33 percent of Britons and 37 percent of Australians expressed concern their PHI may be used for identity theft
  • 10 percent of Americans, 14 percent of Britons and 11 percent of Australians expressed concern their PHI would be accessed by staff members not directly related to their medical care.

As the NHS survey in the UK indicates, patients will put off seeking treatment, as they are concerned about the unintended consequences suffered when their PHI may become compromised. This should never be the case.

Notified individuals are now, on medical identity theft alert, and will be for the remainder of their lives. They will need to watch for the exploitation of their PHI and mindful of the very real potential that if their PHI is exploited and used, that their PHI may become corrupted. Healthcare providers will have to take additional steps to ensure that the person they are treating is the person whose records are being referenced.

On the financial side of the equation, there is the breach notification cost which will be borne by the party who lost your PHI. According to the Ponemen Institute, the ultimate cost for each compromised record has reached 214, while the overall organizational average cost in the U.S. at 7.2 million per incident.

Oftentimes the individual whose record has been compromised will be afforded credit monitoring services for 90-days. In my opinion, it should be for life, vice 90-days. Why? Your personal identifying information (PII) contained within your PHI has a shelf-life equal to your physical life, not 90 days.

Have we now arrived at the point in obtaining medical care that in addition to looking into the medical practitioner's experience, confirm that they are compliant with HIPAA, that we now must review their data handling policies both electronic and physical in choosing a health care provider?

Welcome your thoughts and comments.

Cross-posted from Huffington Post

Possibly Related Articles:
5713
HIPAA
Healthcare Provider
Data Loss HIPAA HITECH Healthcare Personally Identifiable Information PII breach
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.