Broken Legs & Heart Transplants: Mismatch of Identity Protection Services in Healthcare Data Breach
By Jeremy Henley - Article on March 31, 2016
- Data Breach Notification
- Identity Theft and Fraud
Healthcare organizations often miss the mark when offering identity protection services to their patients, employees, and other affected individuals. Credit monitoring, for example, has long been a panacea for healthcare breach victims. There is a time and place for credit monitoring. But offering credit monitoring when medical information has been exposed is like treating a broken leg with a heart transplant.
Given the frequency of healthcare breaches and the high value of medical data, it’s more critical than ever to better protect patients. Last year quickly became the “year of the healthcare breach.” Most recently, Hollywood Presbyterian Medical Center was the victim of a ransomware attack that cost the hospital a reported $17,000 in ransom money—and disrupted patient care.
The frequency with which attackers gain access to patient data is troubling: 77 percent of healthcare organizations in a recent Ponemon report consider cyber attackers a serious threat. That’s because, in large part, healthcare organizations are a treasure trove of data—PII, PHI, PCI, and proprietary information. Mick Coady, a partner in the health information and security practice at PricewaterhouseCoopers, recently told CNBC that a single medical record can sell for “up to $1,100” on the dark Web. “About two years ago, it was probably worth no more than $50,” he said.
In its 2016 Identity Fraud: Fraud Hits an Inflection Point report, Javelin notes that “data breach incidence” dropped to 32.1 million records last year, but a higher percentage of breach victims suffered at the hands of fraudsters. More specifically for healthcare, the volume of medical and insurance records compromised quadrupled to impact 14 percent of data breach victims. The growing vulnerability of patient data to attackers and the skyrocketing amount of exposed medical information make it critical to provide the right type of identity protection services for affected patients.
3 Healthcare Data Breach Scenarios: An Analysis of Identity Protection Services
But just what is the right kind of identity protection for people affected by a healthcare data breach? The answer depends on several factors, such as the type of data that was exposed. Let’s consider these following three breach scenarios:
Breach 1: According to the breached organization’s website, the information accessed may have included personal information such as Social Security numbers and home addresses; employment information, including income data; and health care ID numbers. The organization offered credit monitoring, identity theft insurance, and “identity repair assistance.”
Breach 2: Nearly identical information may have been accessed in this breach, with one notable addition: medical claims information, which contains data such as diagnostic and treatment codes. This organization offered credit monitoring and identity protection services to the affected population.
Breach 3: Here, similar information was made vulnerable, including basic personal information as well as medical record numbers, Medicare or health plan ID numbers, and some medical information. The affected population was offered identity theft recovery and restoration services, credit monitoring, guidance on protecting healthcare and other information, and identity theft insurance.
In each instance, medical information was exposed, ranging from healthcare ID numbers to claims information. However, it appears only one of the three organizations offered some form of healthcare-specific service.
Not Good Enough
Analysts have been critical of the type of identity protection services offered to breach victims. Regarding one particular identity protection offering, Forrester analysts noted: “Unfortunately, customers saw free credit monitoring services as an empty gesture — the onus was still on the victims to protect themselves and younger family members from financial or medical identity theft that may occur years down the road.”
Speaking more generally, Al Pascual, research director and head of fraud & security at Javelin, said, “The biggest problem with the mass issuance of identity protection services is the mismatch of risk and coverage. For example, we have seen countless breach victims being offered solutions that rely heavily on credit monitoring, even though it may not have been appropriate or effective based on the type of data compromised.”
Identity Protection Services for Patients: A Matter of Common Sense
Hospitals, insurers, and others who safeguard patient data must take a more targeted approach in the way they protect their breach victims. Just as a doctor takes the time to diagnose a patient’s condition before prescribing an appropriate course of treatment, healthcare privacy and security professionals must also “diagnose” a data breach. In other words, they must examine critical factors, such as at the type of information breached, the unique needs of the affected population, and the cause of the breach. Then, and only then, can they determine which is the most effective form of identity protection services for breach victims—and better protect their patients against the ever-increasing threats from cyber-attackers, fraudsters, and other criminals.