Over half a million patients’ protected health information (PHI) was compromised in a cyber attack at Utah Imaging Associates (UAI) in late August. This makes it the nineteenth largest health data breach reported to the Office for Civil Rights (OCR) so far in 2021.
According to the health breach notification posted on its website, UAI discovered the security incident on September 4, 2021 and began investigating immediately. However, the initial intrusion occurred on August 29, allowing the cyber thieves to explore UIA’s network and potentially steal data for seven days.
The protected health information potentially exposed includes UAI patients’ first and last names, mailing address, date of birth, Social Security number, health insurance policy number, and medical information – including but not limited to, medical treatment, diagnosis and prescription information.
Patient Safety is Potentially Compromised
Health care providers should be following HIPAA to ensure they do everything they can to protect patient privacy. A health data breach is expensive and time consuming for the provider. But for patients, who have no control over their provider’s privacy practices, the damage can be deep and long-lasting, creating financial problems and risks to their safety.
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify individuals of steps they should take to protect themselves from potential harm resulting from the breach. Typically, covered entities focus on the financial harm with no warning or guidance about checking the accuracy of their medical records and UIA’s notification was no different. Most health breach notifications only advise individuals to monitor their bills and credit reports and provide contact information for the three credit reporting agencies. But the Breach Notification Rule does not define or limit the advice that covered entities should give individuals to protect themselves from potential harm from the breach. When medical records are altered, there is a potential harm to health.
Stolen medical identity is used to commit health insurance fraud and obtain prescription drugs. Patient safety is compromised when someone uses another’s health insurance to get medical care and the thief’s medical information, like a different blood type, becomes part of a patient record. Transfusion of the wrong blood type can be life-threatening.
Arguably, the Breach Notification Rule requires covered entities to inform individuals of how to protect themselves from reasonably foreseeable potential medical harm resulting from medical identity theft when appropriate. This would include recommending that patients review and validate information in their medical records, in case an impostor used their medical identity for insurance or Medicare fraud.
UAI provided a statement to the Information Security Media Group indicating that it is revamping its IT department in the wake of the incident “to better meet the needs of today’s evolving cybersecurity landscape.” They didn’t provide details on what changes are in store. HIPAA Risk Analysis, including a security risk assessment and ongoing Risk Management should follow.
The fallout from this major breach will affect UIA’s patients for years to come. Watching their bills and credit reports is only part of what they need to do. For their own safety, they should monitor the accuracy of their own medical records too.