Hospitals often fail to notify patients of data breaches

If your medical records were exposed in a security breach, would you expect the hospital to tell you? You shouldn’t. Because of regulatory loopholes, only 56% of healthcare organizations that have exposed medical records notified the patients involved, survey results issued this month found.

“There are loopholes in almost every law regulating patient data management, including  the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), and Payment Card Industry Data Security Standards (PCI DSS) that have enabled breach cases to go unreported, preventing an accurate report on frequency,” says the 2008 HIMSS Analytics Report: Security of Patient Data, commissioned by Kroll Fraud Solutions.

The loopholes allow hospitals to cite “reasonable efforts,” “acceptable measures,” and similarly vague language to avoid notifying patients, the report states.

More than 1.5 million names were exposed in data breaches occurring in hospitals in 2006 and 2007, according to data cited by HIMSS Analytics.(Compare Data-Leak Protection products.)

Breaches can involve not just names but also Social Security numbers, birth dates, mailing addresses, insurance policy information, medical history, and credit card and financial information.

“Patient data breaches are the most difficult to clean up and cause problems beyond financial damage,” HIMSS Analytics states. “Patients whose data is used for medical fraud (i.e. the perpetrators use stolen information to receive treatment), suffer from insurance eligibility/application issues as well as misdiagnosis due to data on their records that does not apply to them.”
HIMSS findings were based on a survey of 263 healthcare industry professionals, about half of whom work in IT.

Survey respondents were generally familiar with HIPAA requirements, but typically focus on inappropriate access to data and privacy concerns, rather than the thorny issues of fraud and malicious intent. About 23% of breaches that required notification since 2000 were caused by an employee, including a temporary clerk convicted of stealing the identities of elderly patients for personal gain in Philadelphia, and a Louisiana emergency room clerk who deliberately leaked patients’ names, birth dates and Social Security numbers.

Both incidents occurred in 2007, HIMSS states. Hospitals are hard-pressed to detect such insider wrongdoing, which means the breaches are allowed to occur over extended periods of time.

Here are some other findings from the HIMSS report:
*Identity theft is three times more likely at large facilities than small ones (defined as those with fewer than 100 beds).

*12% of respondents say improper IT security policies are a concern, citing sharing of or improper protection of IDs and passwords. 

*Only 18% of respondents who experienced fraud-related breaches believed such incidents had a negative financial impact. In reality, studies place the average cost of a breach as high as $197 per record or $6.3 million per incident.

*62% of those who experienced breaches classified them as unauthorized use of information, while 32% blamed wrongful access of paper records.