Health and Science

As health data breaches increase, what do you have to lose?

A recent ransomware attack that forced a Los Angeles hospital to fork over $17,000 to criminals to get its computer system unlocked might be the most brazen health data crime of 2016 so far.

But the money paid in that case is small compared to what medical providers risk in fines for having faulty data security measures, and to the economic harm that can be wrought by criminals who exploit holes online and get access to personal information about patients.

And while the ransomware attack on Hollywood Presbyterian Medical Center raised eyebrows, it's still a rare method compared to other data breaches.

Brian A Jackson | Getty Images

Since 2016 began there have already been more than 30 publicly reported breaches of health data involving 500 or more people at medical providers around the country.

The total number of people whose health records were compromised to date exceeds 900,000, according to the U.S. Department of Health and Human Services' Office for Civil Rights, which tracks those breaches.

The actual number of breaches and patients affected is likely higher. Hospitals, doctors, insurers and other health industry entities are only required to report cases involving 500 people or more to federal authorities.

New pact to make electronic health records 'work better'

The tally for 2016 came on the heels of a year that saw an explosion in the number of cases involving online hacking of health data information. And an estimated 1 in 3 Americans had their health data records compromised in 2015, according to a report issued last month by Bitglass, which based its findings on analysis of federal records.

There also has been a sharp increase in the value of such data when it is sold by criminals to other criminals.

"There's definitely an uptick," said Mick Coady, a partner in the health information and security practice at PricewaterhouseCoopers.

Coady said that on the "dark Web" — the shadowy section of the Internet that criminals use to communicate and do business without being tracked by authorities — a single medical record tied to an individual can now sell for "up to $1,100."

"About two years ago, it was probably worth no more than $50," Coady said.

He noted that when patients go to see a doctor or visit a hospital for treatment they willingly — and often unthinkingly — turn over vital personal information that can be valuable for would-be identity thieves.

"You hand over your driver's license, your credit card for the copay and your insurance card," Coady said.

In addition to traditional identity theft, which can include filings for income tax refunds in someone else's name, online health data snoopers are increasingly interested in genomic information about patients that can be stolen from medical providers.

"There are people who are willing to pay an awful lot for that genomic profile ... of individuals," Coady said.

Patients are often oblivious to the risk of such personal information being stolen from their provider, or lost through carelessness.

"I think that the automatic assumption when you walk into your provider that the security is there," Coady said. "But I think in a lot of cases it's over-assumed."

President Barack Obama delivering the State of the Union address on January 12, 2016 in Washington.
Obamacare is main roadblock to cancer 'moonshot'

Stuart Gerson, a lawyer whose practice includes representing companies that have heath data breaches, said that data security is "definitely much better in the wake of HIPAA," the Health Insurance Portability and Accountability Act that became law in 1996, and since then has mandated protection standards for patient information.

"But I don't think you would give the industry more than a C-plus or B-minus, across the board," as a grade for its success in securing patient data, Gerson said, adding that that kind of report card on data security is common for other industries as well.

The Epstein Becker & Green attorney said that health company corporate boards "acknowledge their lack of training in the area, and it's a vulnerability that they want their management to address."

"Boards are increasingly focused on it, and among the reasons is that boards are being held increasingly responsible" by government agencies for lax data security, Gerson said.

"We know that the FTC [Federal Trade Commission], the OCR of HHS and other agencies are levying substantial monetary fines," Gerson said. "In egregious [cases] I think we can expect to see some individual liability and individual sanctions ... and that creates pressures on companies that are both privately and publicly held to make sure that they are doing this correctly."

"Everybody in the health-care sector [is] ... increasingly paying attention to cybersecurity and data processing."

Drug-spending spike puts more strain on government and you

Gerson said that while health hacking cases involving online penetration of databases receive public attention, the majority of data breaches are due to other causes.

Those include the thefts or loss of laptop computers and other electronic devices containing patient records, or cases of "social engineering," where criminals dupe employees into giving them information about patients over the phone.

"The majority of breaches have to do with human failure," Gerson said.

In addition to health companies, "consumers need to do a great deal in protecting their own data," particularly when interacting with health companies online, he said. That includes creating strong online passwords, and revising them frequently.

But, "there's only so much a consumer can do in protecting data that's in the hands of a third party," Gerson said. "Certainly, when someone else holds your data, you are in a sense at their mercy."

A man walks along the U.S.-Mexico border wall on February 22, 2015 in Tijuana, Mexico. Senior Republican senators said they expected Congress will avoid a shutdown over the Department of Homeland Security, which faces a partial shutdown on February 27 over a GOP push to roll back President Barack Obama's executive actions on immigration.
A big new Mexican health hotel for U.S. patients

That can be true for health-care providers as well.

In January, Henry Schein Practice Solutions, which is the leading provider of office management software for dental practices, agreed to pay $250,000 to settle charges from the Federal Trade Commission that it "falsely advertised the level of encryption it provided to protect patient data," according to the FTC.

The agency had alleged that Henry Schein had marketed a software product, Dentrix G5, "with deceptive claims that software provided industry-standard encryption of patient information," the FTC said.

"Strong encryption is critical for companies dealing with sensitive health information," said Jessica Rich, director of the FTC's Bureau of Consumer Protection, when the settlement was announced. "If a company promises strong encryption, it should deliver it."

In a statement to CNBC, Henry Schein spokesman Gerard Meuchner said the company admitted no wrongdoing in the case, and that it agreed to the settlement "to avoid long and costly litigation." He also said that "we had a disagreement with the FTC about how we used the word encrypted" in marketing from 2012 until early 2014, "but we want to assure our customers that our product works, and works well."

Mark Hollis, CEO of MacPractice, a medical management software company, said the Henry Schein case underscores a risk that health providers run in trusting the word of vendors that their software will adequately encrypt patient data, as is required under the law.

"A patient and a provider cannot assume, should not assume without evidence of some kind that patient data is being protected" by a piece of software, Hollis said.

In December, Alliance Health Networks in Utah notified more than 40,000 customers that a database containing information about them had been accessed from an outside party.

Brian Watkins, a spokesman for Alliance Health Networks, told CNBC that a "white-hat hacker" contacted the company, which specializes in health-focused social networks and a prescription drug program, and alerted it to the fact that he had accessed "a test database containing customer information [that] had inadvertently been left accessible via the Internet." No Social Security numbers, credit card numbers, or banking information was contained in the database.

The breach, the first in Alliance Health Networks' history, led the company to enhance its security measures, extensively audit all of its databases to prevent further such breaches and to hire an external forensic security company, according to Watkins. The breach prompted some customers "to have their names permanently removed from our database," he said.

Hollis of MacPractice noted that under the law currently, patient health data must be encrypted if it's being held in electronic form, whether that data is "at rest," such as on a computer hard drive or server, or "in motion," when it is being transmitted via email or by other means to another party.

Asked what the industry compliance rate is for that standard, he said, "No one knows."

Hollis said "my suggestion would be to patients is that they begin to ask that question, if their data is secure ... 'Before I give you my data, what are you doing to protect it?' It's not an unreasonable request."

"Patients don't understand they have to have that information, and they have a right to know that their doctor is protecting their data," he said.

Pharmacy manager prepares a prescription at a Walgreens store.
Clinics may not lower health insurance costs

Hollis also said that patients should not assume that they need to give their doctors or hospitals answers to all the questions on forms they are asked to fill out during visits.

"They're the ones that should decide whether they're going to give it," he said. And, "if a doctor gives you a form that says they're asking you to provide information to send an email that is not a secure email to another provider ... they don't have a right under HIPAA to do that, and that's a red flag that they don't have secure messaging in their office with other providers."

Hollis also said that despite industry awareness of the need for data security, that does not necessarily mean it will be sufficient to stem the number of data breaches, or the number of patient records that are compromised.

Referring to the estimate that 1 in 3 Americans have already had their health records compromised, Hollis said, "I would not say 1 out of 3 and shrinking, I would say 1 out of 3 and growing."