CHICAGO – Your private medical information is under threat. Almost 30 million health records nationwide were involved in criminal theft, malicious hacking or other data breaches over four years, a study says, and the incidents seem to be increasing.
Compromised information included patients’ names, home addresses, ages, illnesses, test results and Social Security numbers. Most involved electronic data and theft, including stolen laptops and computer thumb drives.
The study did not examine motives behind criminal breaches or how stolen data might have been used, but cybersecurity experts say thieves may try to use patients’ personal information to fraudulently obtain medical services.
Cases that did not involve malicious intent included private health information being inadvertently mailed to the wrong patient.
Hackings doubled during the study, from almost 5 percent of incidents in 2010 to almost 9 percent in 2013. Hackings are particularly dangerous because they can involve a high number of records, said Dr. Vincent Liu, lead author of the study and a scientist at Kaiser Permanente’s research division in Oakland, California.
"Our study demonstrates that data breaches have been and will continue to be a persistent threat to patients, clinicians and health care systems," Liu said.
The study appeared last week in Journal of the American Medical Association.
A JAMA editorial says there’s evidence that the incidents are leading some patients to avoid giving doctors sensitive information about their health, including substance abuse, mental health problems and HIV status.
"Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States," the editorial said.
Patients should be alert to cyber threats, including "phishing" emails from hackers posing as doctors, hospitals or health insurance companies, said Lisa Gallagher, a cybersecurity expert at the Healthcare Information and Management Systems Society.
Those messages require clicking on a link to get information, and patients should instead call the purported sender to verify whether the email is legitimate, she said.
Patients should also double-check doctor bills and other insurance company information.
"Don’t throw away your explanation of benefits. Take a look at them," Gallagher said. "If you see care that wasn’t provided to you, or dates and names of providers that don’t make sense, go to the provider and report that."
For the study, Liu and colleagues analyzed an online database, regulated by the U.S. Department of Health and Human Services, that contains mandated reports of breaches in health information protected by federal privacy law.
Over the four years, 949 data breaches were reported across the country. The numbers climbed annually, from 214 in 2010 to 265 in 2013. Nearly 60 percent involved theft.
Prominent cyberattacks affecting two health insurance giants happened after the study. Last May, a data breach hit Premera Blue Cross, affecting about 11 million customers and others. And from December to late January, hackers accessed an Anthem Inc. database with information on nearly 80 million people.
Authorities believe hackers in China may be behind both attacks, Gallagher said.