Patients in New England who have had an imaging scan have a good chance of receiving that dreaded breach notice in the mail from their healthcare provider. The breach notice that tells them their protected health information (PHI) may have been stolen, and they should take care to watch for identity theft.
Shields Health Care Group (Shields) in Quincy, Massachusetts recently reported a massive security breach affecting at least 2,000,000 patients. Shields is a medical provider group offering MRI, PET/CT, and outpatient surgical services throughout New England. Over 50 health care facilities that use Shields’ services have been affected.
According to the breach notice on Shields’ website, the company detected suspicious activity on its network on March 28, 2022. The company began an investigation to determine the nature and scope of the event as well as whether any patient data was exposed.
The investigation confirmed that an unauthorized party gained access to Shields’ IT systems between March 7, 2022 and March 21, 2022. The company also discovered that the unauthorized party acquired—or stole—data from the company’s servers. The type of protected health information (PHI) compromised included full names, Social Security numbers, dates of birth, home addresses, provider information, diagnoses, billing information, insurance numbers and information, medical record numbers, patient IDs, and other medical or treatment information.
Medical Identity Theft is Long Game
Shields points out that to date it has “no evidence to indicate that any information from this incident was used to commit identity theft or fraud.” But no one should take any comfort from this statement. Nearly every public breach notice will make this claim, but it is way too early to know whether medical fraud or financial identity theft will occur. The data will likely be sold on the dark web to another group, or an individual, who may use it now, or later. This kind of identity information takes years to expire.
Incomplete Breach Notice
We note that the breach notice contains no warning to patients about monitoring explanations of benefits (EOBs) to catch medical identity fraud. However, HIPAA requires that the breach notification should include warnings about all potential harm not just financial harm.
This is critically important, since medical identity can be used to commit insurance fraud and obtain prescription drugs. If this happens, an individual’s medical records will be altered in ways that might be harmful. The way to prevent this is to review and monitor one’s own medical records and check and verify health insurance EOBs.
A Health Data Breach is Expensive
With a data breach of this size, Shields is facing enormous costs. In addition to the forensic investigation, managing the 2,000,000 individual breach notices, legal fees, an OCR investigation, and harm to their reputation, a class action lawsuit is brewing. An internet Google search of ‘Shields health data breach’ brings up two law firms advertising for patients to receive consultations and join a lawsuit for damages.
HIPAA Compliance is Key
Shields will be in a better position to respond to OCR and defend a lawsuit if it can show that it did its best to comply with HIPAA. They should have all the required policies in place, but just as important, they should be able to document that they have completed a HIPAA Risk Analysis, and follow a Risk Management plan. HIPAA compliance is the best defense against cybercrime – it can also save money and time and preserve your reputation if a health data breach happens to you.