The protected health information (PHI) of over 1.2 million individuals is in the hands of criminals because of two recent cyber attacks. On December 6, 2021 the Oregon Anesthesiology Group (OAG) reported a theft of healthcare data belonging to 750,000 individuals, and on December 10, Texas ENT Specialists (Texas ENT) reported a theft of data belonging to 535,489 individuals.
These are only two examples of recent healthcare data breaches – they are among the largest reported recently, but the list on the Office for Civil Rights (OCR) breach reporting portal includes thousands more individuals, just from November and December 2021.
Oregon Anesthesiology Group
OAG says it experienced a cyberattack on July 11, after which they were briefly locked out of their servers. OAG was able to restore its systems from off-site backups and gradually rebuilt its IT infrastructure from the ground up.
However, OAG also reported that on October 21, the FBI notified them that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files.
The data stolen included names, addresses, date(s) of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names, and insurance ID numbers.
Texas ENT Specialists
Texas ENT’s notice on its own website says that on October 19, 2021 they learned that files containing patient information had been accessed by unauthorized parties during a data security incident.
An investigation revealed that cyber thieves gained access to the computer systems and took copies of Texas ENT files between August 9, 2021 and August 15, 2021. The data stolen included patient names, dates of birth, medical record numbers, and procedure codes used for billing purposes. A limited number of social security numbers were also taken.
Lasting Damage of Medical Identity Theft
The OAG and Texas ENT attacks are examples of aggressive cyber attacks that cripple organizations by encrypting their data (making it inaccessible to the providers) and stealing the personal data for use in other criminal schemes.
Medical identity theft is especially dangerous because it takes longer to be detected than other forms of identity theft. The patients whose data was stolen face years of uncertainty over how their PHI might be used. The stolen data is used to used to commit health insurance fraud and obtain prescription drugs. Safety is also compromised when a thief uses another’s health insurance to get medical care and the thief’s medical information, like a different blood type, becomes part of a patient record. The recent Ponemon Institute study outlines potential patient safety risks caused by ransomware in healthcare.
Victimized organization statements commonly downplay the impact of the data theft by saying no actual or attempted misuse of the stolen information is known. But does anyone think criminals will fail to exploit this treasure trove to the fullest extent possible?
A person’s health information in the hands of criminals raises the serious threat of risks to patient safety and financial well-being. Patients do not grasp the potential harm – in fact, there have been so many massive breaches of personal data in the news that many individuals are numb to the reports and notifications when it happens to them. They need guidance.
Notice Should Include All Potential Harm
The HIPAA Breach Notification Rule requires that individuals be notified of steps they should take to protect themselves from potential harm resulting from the breach. The OAG and Texas ENT breach notifications, consistent with industry practice, focus on protection from financial harm. However, it would seem appropriate to suggest steps for protection from medical identity theft like requesting access to monitor the accuracy of patient medical records. So far, most breach notifications we have seen do not include these further steps. If medical records are compromised through fraudulent use the patients may not learn about it in time to prevent harm.