Americans' Health Records Under Constant Hacker Attack

Threat Has 'Grown Exponentially,' GAO Reports

Angelina Jolie and Jonny Lee Miller in a scene from the movie ‘Hackers’
Who’s Looking at Your Medical Records Now?. Getty Images Archive

Ensuring the confidentiality and security of electronically stored personal health information is one of the major goals of the Health Insurance Portability and Accountability Act of 1996 (HIPPA). However, 20 years after the enactment of HIPPA, Americans’ private health records face a greater risk of cyber attack and theft than ever.

According to a recent report from the Government Accountability Office (GAO), fewer than 135,000 electronic health records were illegally accessed – hacked – in 2009.

By 2104, that number had grown to 12.5 million records. And just one year later, in 2015, a whopping 113 million health records were hacked.

In addition, the number of individual hacks affecting at health records of least 500 people increased from zero (0) in 2009 to 56 in 2015.

In its typically conservative manner, the GAO stated, “The magnitude of the threat against health care information has grown exponentially.”

As its name implies, the primary goal of HIPPA is to ensure the “portability” of health insurance by making it easy for Americans to transfer their coverage from one insurer to another depending on changing factors like costs and medical services covered. Electronic storage of medical records makes it easier for individuals, medical professionals, and insurance companies to access and share medical information. For example, it allows insurance companies to approve applications for coverage without the need for additional medical examinations.

Clearly, the intent of this easy “portability” and sharing of medical records is – or was – to lower the cost of health care. “Lack of care coordination can lead to inappropriate or duplicative tests and procedures that can increase health risks to patients and poorer patient outcomes,” wrote the GAO, noting that duplication of often unnecessary tests and examinations increase health care costs by from $148 billion to $226 billion per year.

Of course, HIPPA also spawned a raft of federal regulations intended to protect the privacy of individuals’ health records. Those regulations require all health care providers, insurance companies, and any other organizations with access to health records to develop and apply procedures to ensure the confidentiality of all “protected health information” (PHI) at all times, especially whenever it is transferred or shared.

So What’s Going Wrong Here?

Unfortunately, the convenience of having our health records online comes at a price. With hackers and cyberthieves constantly upping their “skills,” everything about us, from Social Security numbers to health conditions and treatments are at greater risk.

Health care is considered so important that the GAO has placed in on its list of the nation’s critical infrastructure; items considered “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the national public health or safety, nation’s security, or national economic security.”

Why are hackers stealing health records? Because they can be sold for lots of money.

“Criminals are aware that obtaining complete health records are often more useful than isolated financial information, such as credit information,” GAO wrote.

“Electronic health records often contain extensive amounts of information about an individual.”

While acknowledging that systems allowing health care providers and others to share healthcare information electronically may lead to improved health care quality and reduced costs, that easily shared information is increasingly coming under cyber attack. Hack attacks highlighted in the GAO report include:

  • In July 2014, Community Health Services, operator of acute care hospitals in non-urban markets located throughout the United States, reported that the Social Security numbers, patient names, birth dates, addresses, and telephone numbers of at least 4.5 million people had been stolen by hackers.
  • In January 2015, health insurer Anthem, Inc., part of Blue Cross and Blue Shield, reported that hackers had stolen “names, dates of birth, Social Security numbers, healthcare ID numbers, home addresses, e-mail addresses, and employment information such as income data” from about 79 million people.
  • Also in January 2015, Premera Blue Cross in Alaska and Washington State, reported that since May 2014, hackers had stolen the records of 11 million patients, including “names, addresses, e-mail addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, medical claims information, and bank account information.”
  • In May 2015, the University of California at Los Angeles (UCLA), reported that hackers had stolen data including “personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information” from an as yet undetermined number of UCLA health system patients.

“Data breaches experienced by covered entities and their business associates have resulted in tens of millions of individuals having sensitive information compromised” reported the GAO.

What Are the Weaknesses in the System?

First, if you think you can absolutely trust your health care provider or insurance company with your personal information, the GAO reports “insiders are consistently identified as the biggest threat.”

On the federal government’s side of the fault divide, the GAO laid blame on the Department of Health and Human Services (HHS).

In 2014, the National Institute of Standards and Technology (NIST) first published the Cybersecurity Framework, a set of recommendations for how private sector organizations can assess and improve their ability to prevent, detect, and respond to hacker attacks.

Under the Cybersecurity Framework, HHS is required to develop and publish “guidance” intended to assist all private and public-sector entities storing health care records to implement the framework’s information security measures.

The GAO found that HHS had failed to address all of the elements in the NIST Cybersecurity Framework. HHS responded that it had omitted some elements on purpose in order to allow “flexible implementation by a wide variety of covered entities.” However, stated the GAO, “until these entities address all the elements of the NIST Cybersecurity Framework, their [electronic health records] systems and data are likely to remain unnecessarily exposed to security threats.”

What the GAO Recommended

The GAO recommended five measures intended “to improve the effectiveness of HHS guidance and oversight of privacy and security for health information.” Of the five recommendations, HHS agreed to implement three and would “consider” taking actions to implement the other two.

2009 HITECH Act Give HIPPA Sharper Teeth

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act or HITECH Act—expanding HIPAA's rules, substantially increasing the potential legal liability for failure to comply, and adding new enforcement actions.  

Under HIPPA as amended by the HITECH Act, civil monetary damages assessed for violations can reach up to $50,000 per violation, with an annual maximum of $1.5 million. The U.S. Justice Department may impose fines up to $250,000 and imprisonment up to 10 years for HIPAA violations, depending on the circumstances of the breach.

In some cases, health information breaches result from negligence on the parts of healthcare facilities themselves, rather than attacks by outside hackers. For example, two of the largest fines for non-hacking-related HIPPA/HITECH violations paid recently include:

  • $5.5 million paid by Memorial Healthcare System in Hollywood, Florida in 2017 to settle allegations that its employees improperly disclosed 115,143 individuals’ health data to the office staffs of affiliated physicians.
  • $5.5 million paid in 2016 by the Advocate Health Care Network after it was revealed that a failure of the organization to properly protect patient data led to the loss of the information of 4 million patients.