We know that data breaches occur regularly. Haven’t we all scrambled to secure an account after news of a breach at one of our online haunts appeared in news headlines?
Unfortunately, massive data breaches at well-known companies represent just a tiny portion of the problem. We never hear about the vast majority of smaller data breaches that occur daily at businesses with lower profiles.
It’s not always a hacker!
Privacy breaches occur in different ways for various reasons and sometimes happen due to a chain of unforeseen events that ultimately causes a disaster. While cybercriminals use targeted attacks to hack into information systems, the accidental loss or exposure of sensitive information via non-criminal means is also regarded as a data breach. Such incidents may, in fact, cause more harm than big, well-publicized hacks. A few pre-2009 examples of (possibly) accidental breaches:
- Employee lost a laptop on public transportation: AvMed Health Plans, 1.22 million patient records.
- Loss of unencrypted thumb drive: Blue Cross Blue Shield, 1.02 million records.
- Loss of data backup tapes: Nemours Foundation that runs children’s hospitals, 1.05 million records.
- Lost hard drives: Health Net, 1.9 million records.
- Lost backup tapes: the DOD health care program Tricare, 4.9 million records of military personnel, retirees, and their dependents.
A long, extremely messy history of major medical care data breaches
And then 2019 became the worst data security ever for health care providers:
- LifeLab 2019: 15 million
- Inmediata Health Group: 1.5 million
- UW Medicine: Around 1 million
- LabCorp: 7.7 million records, linked to the Quest Diagnostics: 11.9 million records and AMCA: full extent unknown, but at least 11.9 million, as well as Clinical Pathology Laboratories (CPL) incident: 2.2 million
- LabCorp again: at least 10,000 documents including lab test results and diagnostic data of oncology patients.
An eye-popping non-exhaustive list of smaller 2019 healthcare data breaches:
The 2019 HIPAA Healthcare data breach report makes for alarming reading. To mention just a few that may be close to home:
Rutland Regional Medical Center: 72,000, Zoll Medical: 277,319, Milestone Family Medicine:
32,178, Verity Health Systems: 14,894, Baystate Health: 12,000, Prisma Health: 23,811, Steps to Recovery: 145,000, EmCare: 60,000, Opko Health: 422,600, Dominion National: 95,000, Los Angeles County Department of Health Services: 14,600, Presbyterian Healthcare Services: 183,000, Providence Health Plan: 122,000, Methodist Hospitals of Indiana: 68,000, Kalispell Regional Healthcare: 130,000, Critical Care, Pulmonary & Sleep Associates (CCPSA): 23,000, Alaska Department of Health & Social Services (DHSS): 100 000, Catawba Valley Medical Center: 20,000, Advent Health: 42 000, UConn Health: 326,000, EyeSouth Partners: 24,000, Rush University Medical Center: 45,000, Health Alliance Plan: 120,000, Pasquotank-Camden Emergency Medical Services: 20,420, Spectrum Health Lakeland: 60,000.
Why are there such astonishing numbers of data breaches in the health sector?
Medical records are not all that valuable per se. The reason why bad actors focus on health and medical records is that the medical sector has an awful track record of poor security.
Of course, patient names, credit card numbers, Social Security numbers, and information about patients’ financial standing provide an immediate payday for the perpetrator. Around 30% of data breach victims have reported that scammers were able to obtain new credit card accounts and even valid driver’s licenses using explicit, stolen information.
Other benefits to be had from stealing medical information
- Information on medical conditions enable scammers to impersonate representatives from medical insurance companies
- Scammers can use your private health information (PHI) to shape phishing and social engineering campaigns.The current COVID-19 crisis offers new opportunities for phishing attacks and scams.
- Scammers can obtain prescription drugs.
- Scammers can file fraudulent insurance claims.
- There has also been an increase in patient impersonation scams, where uninsured patients obtain medical care using fraudulent medical insurance particulars.
- Health Savings Accounts (HSAs) that are linked to specialized debit cards can be used for regular purchases.
We should be worried about an epidemic of small, non-publicized data breaches
The massive numbers of smaller data breaches in the health sector point to a much greater problem across all businesses and all sectors of the economy. We’ll never know how many other companies suffer data losses from accidents or unintentional theft.
Thieves don’t usually cruise the streets looking for data to steal. They just want to nab the computer. Crime figures show that thieves get away with hard drives, tablets, mobile phones, and laptops, and will automatically snatch electronic equipment first.
Data theft, albeit on such a small scale and accidental to boot, can still lead to compromised credit card details, scams, and identity theft.
Do we have any defense?
Despite data breaches becoming regular occurrences, many businesses still fail to understand that their organizations might be a target for hacking or data theft. Management is often ignorant of the need for security technology, or have simply never had to deal with accountability issues about their clients’ right to privacy. Business owners and management should take note of these threats before an incident hits them where it hurts.
Ask your health care provider about their privacy and data security policies, and find out more about their general security practices. They have a solemn duty to protect your privacy and should be willing and able to address your concerns. Thanks to increased penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), larger medical concerns have started paying attention.
Regularly conduct a full Nuwber social and public profile audit to establish your general risk level, and to spot inconsistencies that may indicate activities by bad actors using your personal information. Nuwber’s complete personal profiles are based on information from all over the internet, and could potentially pick up unusual activities that you would not consider looking for. Hackers usually sell stolen credit card details and Social Security numbers fast, but other data may take years to make its way to market.
Above all, we should understand that information has become an immensely valuable commodity, and that we should fight for our right to own it.