The year 2017 saw a huge rise in health data breaches. Patient data stored on a provider’s healthcare system often include names, addresses, dates of birth, Social Security numbers, clinical information such as diagnosis and treatment information, and insurance billing details. It is critical for hospitals and medical billing outsourcing companies handling patient data to maintain the proper precautions to prevent a cyber attack. According to an annual Breach Barometer report published by Protenus and DataBreaches.net, a total of 477 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights in 2017, which is up slightly from the 450 reported in 2016.
Healthcare IT News has reported that an unauthorized user hacked into the Oklahoma State University Center for Health Sciences network in November 2017, accessing folders that contained the Medicaid billing information of 279,865 patients. The affected Medicaid folders were removed from the network and third-party access was terminated the next day. Ransomware attacks reported in the first month of 2018 include those at Allscripts and Hancock Health. The attack was first reported by HIStalk which received a tip from an Allscripts user that the attack shut down applications hosted on two data centers in North Carolina, including Allscripts Professional EHR platform and some e-prescribing systems. Hancock Health paid a $55,000 ransom to hackers to release more than 1,400 files and regain control of the clinical IT systems at Hancock Regional Hospital.
Partners HealthCare System, Inc., the Boston-based nonprofit health system discovered that personal data and protected health information (PHI) had been accessed by computers infected with malware in May 2017. This nonprofit health system reported that though the malware did not result in access to its EMR system, it may have exposed patients’ names, diagnoses, types of procedures and medications. The folders contained patient names, Medicaid numbers, provider names, dates of service and treatment information, which cybercriminals could use for medical fraud.
All this emphasizes the need for better data protection measures. Steps patients can take to protect their PHI include
- Reviewing account statements from your insurance company to make sure that the account activity is valid
- Providing updated personal details to your healthcare provider by bringing photo ID to verify identity
- Consulting the Federal Trade Commission for guidance on general steps you can take to protect your information
- Placing a security freeze that prohibits a credit bureau from releasing your credit report information without your written consent
- Checking credit report to ensure that the information is accurate
- Placing a fraud alert on your file, which tells creditors to contact you before opening a new account or increasing credit limits on existing accounts
According to the survey findings from the University of Phoenix College of Health Professions, 20% of registered nurses (RNs) and 19% of health administrators said their facility has experienced a breach of patient data, and just as many responded that they didn’t know if their facility has experienced a data breach. Based on these findings, the organization provided certain recommendations for healthcare executives to prevent data breach, such as
- They must place higher importance on data protection. All levels of staff need to be trained in cyber security and data best practices, and these trainings need to be consistently updated.
- As education and training are key to ending this vicious cycle of cyber security issues, implementing professional development programs can better train the next generation of privacy and security literate health professionals.
- While including digital tasks like EHRs and patient portals, health execs must put protocols in place to minimize human error.
- All hospital staff must be made aware of such data breach incidents, so that they will also consider mitigating and eliminating such issues in the future.
It is critical for healthcare facilities as well as the medical billing and coding companies that serve them to adhere to HIPAA guidelines and take the privacy and security of patient information very seriously.