An Urgent Plea From a Patient

Oct 24, 2024 at 09:51 am by steve


By Kristin Shoe

Like most families of four, mine has had its share of occasional appointments and procedures involving a medical clinic or hospital over the years. I am no stranger to HIPAA consent forms, health insurance benefits, and medical billing. Every single time, those visits require us to fill out forms that include birth dates, driver’s license and social security numbers, medical history, and other sensitive information. With my thoughts consumed by questions I have for my doctor or anxiety about having blood drawn, the last thing I want to worry about is whether my Personal Health Information is protected adequately.

Unfortunately, the statistics should worry every healthcare consumer. In 2023, health data breaches hit an all-time high, affecting as many as 133 million individuals. Last year, on every single day, there were an average of two attacks that affected more than 500 health records. The reality is that many more attacks occur among smaller clinics that often are not reported, despite a HIPAA requirement to do so. Often, these breaches prove to be much larger than initially thought, meaning that these statistics likely represent conservative estimates. 

We have all received data breach notifications in which our personal information has in some way been stolen, but medical records are by far the most valuable treasure for cyber criminals. These stolen records can be monetized in a variety of ways, including:

  • Fraudulent medical claims: Information is used to submit false insurance claims for medical services or equipment that were never provided.
  • Obtaining care: A stolen identity may be used to receive treatment, surgery, or drugs under the victim’s insurance.
  • Prescription drug fraud: Records are used to obtain prescription medications, either for personal use or to sell on the black market.
  • Information sold on the Dark Web: Valuable personal medical data is regularly sold to criminals for fraudulent purposes.
  • Medicare fraud: Stolen Medicare information may be used to bill for fake services or equipment.
  • Opening credit accounts: Medical records contain more than enough information to open credit cards or loans in the victim’s name.
  • Tax fraud: Medical records include Social Security numbers, which enable criminals to file fraudulent tax returns.
  • Blackmail or extortion: Thieves may use sensitive medical information to blackmail individuals.
  • Insurance fraud: Stolen information enables thieves to obtain health insurance or file false claims.

Clearly, a victim of any of these crimes could find himself in a tangled web of insurance problems, credit reporting errors, medical collections activity, and identity assassination. I once spent several months and many phone calls struggling to clear up a billing discrepancy between my provider and my insurance company over a legitimate claim. Imagine the problems posed by fraudulent claims filed under your insurance after a breach.

Unweaving and repairing the damage from cybercrime is stressful and time-consuming, often involving legal action to clear one’s name and recover damages. Sometimes the damage is permanent. In a 2023 breach at Lehigh Valley Health Network in Pennsylvania, for example, nude pictures of approximately 600 men and women, along with Social Security numbers and other personal information, were stolen and published across the Dark Web. The hospital recently settled with plaintiffs for $65 million for failure to protect highly sensitive health details. Many of the most deeply affected victims reported anxiety, sleep disruption, and anger. 

As a patient, I urge medical clinics, hospitals, and other healthcare companies to follow and to take seriously all security and HIPAA recommendations. Our IT/Security company meets regularly with healthcare clients and prospects, and unfortunately, I cannot say that this is always the case.  Comprehensive security and compliance offerings from our company are not inexpensive, but what does the revenue loss total if your clinic cannot function for two weeks because of a ransomware attack? How much do the resulting fines and lawsuit settlements cost? Can you even put a price on the resulting loss of reputation to your business?

If you’re ready to audit your security and compliance strategy, we can help.  Give us a call at (205) 623-1200 or visit www.sipoasis.com to learn more.

Kristin Shoe is the Director of Marketing for SIP Oasis.

Sections: Blog



September 2024

Sep 19, 2024 at 12:18 pm by kbarrettalley

Your September 2024 Issue of Birmingham Medical News is Here!