Devastating breaches are preventable. So why does healthcare identity theft keep happening?
Healthcare identity theft is a national crisis. It’s profitable business for the crooks and easy when defenses are weak.
But healthcare identity theft is preventable.
The latest shocker was announced last week. Twenty million patients’ data was exposed by Quest and LabCorp and their medical billing vendor, American Medical Collections Agency (AMCA). This breach joins Anthem* (2016) and Premera Blue Cross (2014) as among the largest in HIPAA history.
Dollar costs are huge when lawyers bring class action lawsuits.
Anthem $115 million class action settlement and $17 million to OCR
Patients affected: 79 million in 2016
Premera $74 million (proposed) class action settlement
Patients affected: 11 million in 2014
Quest/LabCorp/AMCA $millions – final amount to be determined
Patients affected: 20 million in 2019
Premera Blue Cross Asleep at the Privacy Wheel
Patients across Alaska, Washington and Oregon trusted their information was secure with Premera Blue Cross. That trust was broken when a preventable, sustained cyberattack continued for almost a year.
The class action lawsuit claimed that Premera broke its patient contracts and was negligent when it allowed cyberattackers to steal the protected health information of 10.6 million people, including names, dates of birth, social security numbers and clinical data.
Look at what the settlement requires – not just money, but changes in their business practices. All of these are just elements of good HIPAA compliance.
The HIPAA E-Tool® shows you how to do all of them – you can prevent the next devastating breach – and the cost is a drop in the bucket.
- Stronger Passwords
- Enhanced Email Protections
- Strict Access Controls
- Reduced Employee Access to Sensitive Data
- Moving Certain Data into Archived Databases
- Annual Security Audits
Billing Company Hacked (at labs used by pretty much everybody)
The most recent headline is Quest and LabCorp – both healthcare providers – using American Medical Collection Agency (AMCA) – a business associate – for billing. Quest and LabCorp are giants in diagnostic testing and dominate the market. AMCA dropped the ball and allowed hackers free access to the system and to gather info for eight months.
This Quest/LabCorp news may only be the tip of the iceberg, since AMCA collects bills for many health care providers nationwide. We’ll learn more as the investigations develop.
Following Quest and LabCorp announcements in early June, the Michigan Attorney General launched an inquiry. Then the Senate noticed and began asking questions. The Office for Civil (OCR) Rights may be next. See the letter to LabCorp from Senators Cory Booker and Bob Menendez. They call out LabCorp’s prior HIPAA security problems in a series of eleven tough questions – due date for answers is June 14, 2019.
These are challenging and very public investigations, but what may be worse are class action lawsuits for negligence. As of today, more than a dozen class actions have been filed in several federal courts.** That’s big money.
Let’s Imagine a Different Scenario
The HIPAA E-Tool® would have required Quest and LabCorp to make sure:
- AMCA follows HIPAA rules and secured a signed business associate agreement.
- Risk Analysis-Risk Management would have been ongoing.
- Access controls for employees and vendors would have been in place
- The Senators’ eleven questions would have better answers.
There is a real solution. It’s easy, if you know the rules.
The ultimate outcome for Quest/LabCorp/AMCA is unknown. What we know is that millions of patients’ privacy has been compromised again. They may experience identity theft and harm to their credit reports.
- Healthcare identity theft doesn’t need to happen
- Strong HIPAA compliance is a blueprint for cybersecurity protection
- Prevent the next devastating breach with The HIPAA E-Tool®
*Read more about the Anthem breach.
**The latest on the AMCA class actions.