You might think that the theft of children’s personal information is not a big deal. After all, they typically have little or no assets in their names, no credit cards and no bank accounts.
In fact, the theft of minors’ protected health information (PHI) is a disaster with long-term potentially devastating consequences for the whole family. It damages the children because their identity can be supplanted before they’re old enough to apply for a loan. It damages the family because with every child’s medical record comes information about their parents or personal representative, e.g., health insurance information, name, address, email and phone.
Pediatric PHI is High Value for Cyber Criminals
Criminal cyber thieves value minors’ PHI much higher than adults’. It’s a fresh opportunity, with no history. It can provide an entire identity to supplant the person who hasn’t used it yet. When the child reaches adulthood and applies for a credit card or mortgage, they’re blocked because their identity was stolen years earlier.
Business Associate Holding Pediatric PHI is Hacked
As we’ve noted before, a healthcare data breach at a business associate will reach many more patients than one at a single covered entity because the business associate usually serves multiple customers.
In the case of Connexin Software, a company that offers pediatric health IT solutions and operates under the name Office Practicum, more than 2.2 million individuals from 120 pediatric physician practices affected.
Connexin provides electronic medical records and practice management software, as well as billing services and business analytic tools. In late August, Connexin said it detected a “data anomaly” on its internal network. The investigation revealed that an unauthorized party was able to access an offline set of patient data used for troubleshooting and data conversion and later remove some of that data.
The data exposed potentially included demographic information, Social Security numbers, treatment information, billing and claims information, and health insurance information. Connexin also noted “Information of a parent, guardian, or guarantor may also have been impacted by the incident.”
How Much is Enough to Mitigate the Damage?
Connexin’s notice contains the usual offer seen in healthcare data breach cases – one year of identity monitoring services. We question whether is enough since the damage is ongoing, long-term, and will affect the patients years in the future. In addition to identity monitoring, all PHI breach notices should also advise patients to monitor their explanations of benefits (EOBs) to see whether their medical identity is being used.
Connexin also said it has now hardened its systems to prevent future cyber incidents.
Investigations and (Potentially) Lawsuits are Likely
The Office for Civil Rights (OCR) investigates all breaches affecting 500 or more. This breach was reported to OCR on November 11, 2022 and is already under investigation (2,216,365 patients was the number provided to OCR).
Lawsuits are increasingly common today with breaches of this size. Patients don’t have the right to sue under HIPAA, but claims can be made alleging negligence, breach of contract and violations of state privacy and consumer protection laws. Already several plaintiffs’ law firms are advertising to find patients affected by the Connexin breach who may want to join a class action lawsuit.
HIPAA Compliance Saves Money and Time
Follow HIPAA to ensure you’re doing everything possible to maintain the security and privacy of patient information in your care. If you are a covered entity, do your due diligence with all third-party vendor business associates.
All covered entities and business associates should be doing an annual Risk Analysis, training their workforce and maintaining good cybersecurity practices. Don’t wait to harden your systems. Step up your game now to protect patients, and save from headaches and costs later.