Last April, the California Department of Developmental Services alerted thousands of state employees, contractors and parents that their protected health information (PHI) was compromised after vandals broke into the department's offices. Twelve computers were stolen, and CDs and paper documents holding PHI went missing.
The breach was just one of more than 500 health care data breaches last year, revealing how ever more vulnerable sensitive health-related information is, even under the protection of HIPAA rules. In fact, more than 15 million patient records were affected by health care data breaches in 2018, according to the Protenus 2019 Breach Barometer. That's nearly triple the number of health care records affected in 2017.
What Is PHI?
PHI goes beyond your health records, such as medical history and lab reports. It also includes personal identifiable information (PII) such as birthdates, addresses, Social Security numbers, and insurance or other financial accounts. It is the information that health care offices use to identify you to design your unique medical treatment and determine what insurance benefits you qualify for.
HIPAA regulations are meant to ensure the privacy of your PHI, specifically who has access to it. Ideally, you should have more control over your PHI than you do of any other type of PII, in terms of who can and cannot access those records. But as statistics show, thieves are gaining access to your PHI more than ever before.
Why Criminals Steal PHI
Medical records are unique to individuals, so why would cyber-criminals want to steal this information? There are two main reasons:
- First, because of the PII included in these patient files, a health care data breach provides lots of information that's highly sought by identity thieves.
- Second, scammers use PHI to commit medical fraud. Thieves use the information to set up Medicare or Medicaid accounts using your PHI or for other types of insurance fraud. Prescription fraud is a growing concern, as well, especially in light of the opioid crisis. PHI criminals will sell your medical records for their financial gain or to support their own addictions.
The Risk to You
When your PHI is compromised and used in identity theft, the biggest risk is loss of access to your legitimate health care services. If you are the victim of prescription fraud, for example, someone else uses your refill allotment, leaving you unable to get the medications you need. The frequency of the prescription requests is filed into your medical records, which could affect your treatment. If your PHI is used for insurance fraud, you could be left with huge bills or even kicked off your insurance plan.
HIPAA, which is designed to protect your privacy, could end up making it more difficult to get help in PHI theft. Health care professionals are required to protect the confidentiality of the patient, and if they don't have proof of identity theft, they are at risk of violating compliance laws.
Your health care providers, insurance agencies and employers are on the front line of protecting your PHI from data breaches and theft, but there are steps you can take to protect your information:
- Limit what you post about your medical conditions on social media. What you reveal yourself isn't protected by HIPAA.
- Encrypt any PHI you store on your personal devices.
- If you access your records online, always use multi-factor authentication if offered.
- Be vigilant about how your medical professionals handle your records.
- If you are contacted about a potential compromise of your records, take advantage of credit monitoring and any advice or services offered by the breached organization.
Taking these steps can't guarantee you'll avoid a health care data breach—but it could limit the damage in the event one occurs.
Editorial Disclaimer: Opinions expressed here are author's alone, not those of any bank, credit card issuer or other company, and have not been reviewed, approved or otherwise endorsed by any of these entities. All information, including rates and fees, are accurate as of the date of publication.