Hospitals, pharmacies and health insurance companies are among the hardest hit when it comes to hacker attacks, stolen laptops, spying employees and other information security mishaps.
Healthcare organizations are losing more than just names, addresses and Social Security numbers. When their data gets stolen, patients lose the privacy of their medical conditions, treatments and medications while at the same time falling prey to identity theft, medical billing fraud and other criminal schemes.
Theft of electronic medical records is on the rise, and the implications are getting more serious. In a 2008 survey of identity theft victims, the Identity Theft Resource Center found that 67% had been charged for medical services they never received and 11% were denied health or life insurance due to unexplained reasons.
This is why hospitals like Maimonides Medical Center in Brooklyn are beefing up information security through the use of outside audits and other measures. (See related story). Walter Fahey, vice president and CIO of Maimonides, says he's never had a security breach and doesn't want one.
"You have to have these outside audits...to validate what your internal people are doing," Fahey says. "It's no different than having Ernst & Young come in and validate your financials. You need validation that you're doing everything you can to improve security and that you're people aren't missing anything."
1. Hacked: Virginia Department of Health ProfessionsWhen: April 30, 2009Patient records at risk: 8,257,378What happened: More than 8 million personal pharmaceutical records were stolen from the state of Virginia's prescription drug database and held hostage by hackers, who demanded a $10 million ransom. The agency says as many as 531,400 patients had Social Security numbers listed in its Prescription Monitoring Program database, which includes prescriptions for painkillers that are often abused.
2. Robbed: Peninsula Orthopaedic AssociatesWhen: March 25, 2009Patient records at risk: 100,000What happened: Three back-up tapes containing information about 100,000 patients were stolen from this Salisbury, Md., medical practice while en route to an off-site storage facility. The stolen data includes Social Security numbers, employer names and health insurance numbers, leaving the victims at risk for medical identity theft. Patients were warned of the incident via letter on April 6, 2009.
3. Hacked: Moores Cancer CenterWhen: July 16, 2009Patient records at risk: 30,000What happened: Moores Cancer Center at the University of California, San Diego, warned patients that a hacker had breached its computers and gained access to patients' personal information. The stolen data includes patient names, birth dates, diagnosis and treatment dates, but not Social Security numbers. The hospital said the incident occurred in late June.
4. Robbed: Moses Cone Memorial HospitalWhen: March 9, 2009Patient records at risk: 14,380What happened: A stolen laptop is the reason this Greensboro, N.C. ,hospital lost data -- including Social Security numbers -- for 14,380 patients. The hospital is offering one year of identity theft insurance for the patients, who were treated by the cardiology and orthopedic departments. The laptop was stolen from the Canton, Ga., facility of VHA, one of the hospital's vendors. The hospital waited a month before announcing the incident.
5. Robbed: Johns Hopkins HospitalWhen: April 3, 2009Patient records at risk: 10,200What happened: This Baltimore medical establishment warned 10,200 patients in April that their data was put at risk by a former employee, who worked in patient registration and has been linked to scheme to create phony Virginia drivers' licenses. The employee had access to patient names, addresses, dates of birth, telephone numbers, Social Security numbers, parents' names and medical insurance information. Law enforcement officials have identified 30-plus victims.
6. Lax security: WalgreensWhen: March 18, 2009Patient records at risk: 28,000What happened: Walgreens failed to encrypt an e-mail attachment containing the names, dates of birth, Social Security numbers and health insurance claim numbers for 28,000 Kentucky retirees that use the state's pharmacy benefits. The e-mail covered Medicare-eligible users of the state's retiree pharmacy benefit in 2007. Walgreens officials said the risk for identity theft was minimal.
7. Robbed: Marian Medical CenterWhen: April 22, 2009Patient records at risk: 3,200What happened: A BlackBerry containing information about 3,200 emergency room and urgent care patients at this Santa Maria, Calif., medical center was stolen. The BlackBerry contained an e-mail message attachment that included patients' Social Security numbers, dates of birth and medical histories. The hospital is paying for a credit monitoring service for the patients whose data was put at risk.
8. Lax security: Northeast OrthopaedicsWhen: Feb. 19, 2009Patient records at risk: 1,000What happened: An Indian outsourcing firm posted on its Web site the records of more than 1,000 patient visits to Northeast Orthopaedics, an Albany, N.Y., surgical practice. The records included patient names, birth dates, Social Security numbers and a description of medical conditions. The records were posted online by the Indian firm, which was hired by a North Carolina medical transcription service MRecord used by the practice.
9. Robbed: Kanawha-Charleston Health DepartmentWhen: Jan. 20, 2009Patient records at risk: 1,000What happened: All patients who received flu shots last fall from this Charleston, W.V. ,agency were warned in January that they were at risk for identity theft. A clinic employee was charged with stealing personal information about patients including their names, birth dates, Social Security numbers and addresses. The employee, a temporary billing clerk, allegedly used the information to obtain credit cards in the patients' names and make fraudulent purchases.
10. Lax security: Kaiser Permanente Bellflower Medical CenterWhen: January 2009Patient records at risk: 5What happened: Curiosity is the cause of the data breach at this California hospital, where Nadya Suleman delivered octuplets. The hospital found that 23 unauthorized employees had examined Octo-Mom's medical records. The hospital was fined $250,000 for this incident, and another $187,500 for a second incident involving four other patients.
This story, "Is Your Health Privacy at Risk?" was originally published by Network World.