Americans' Health Records Under Constant Hacker Attack

Threat Has 'Grown Exponentially,' GAO Reports

Angelina Jolie and Jonny Lee Miller in a scene from the movie ‘Hackers’
Who’s Looking at Your Medical Records Now?. Getty Images Archive

Ensuring the confidentiality and security of electronically stored personal health information is one of the major goals of the Health Insurance Portability and Accountability Act of 1996 (HIPPA). However, 20 years after the enactment of HIPPA, Americans’ private health records face a greater risk of cyber attack and theft than ever.

According to a recent report from the Government Accountability Office (GAO), fewer than 135,000 electronic health records were illegally accessed – hacked – in 2009.

By 2104, that number had grown to 12.5 million records. And just one year later, in 2015, a whopping 113 million health records were hacked.

In addition, the number of individual hacks affecting at health records of least 500 people increased from zero (0) in 2009 to 56 in 2015.

In its typically conservative manner, the GAO stated, “The magnitude of the threat against health care information has grown exponentially.”

As its name implies, ​the primary goal of HIPPA is to ensure the “portability” of health insurance by making it easy for Americans to transfer their coverage from one insurer to another depending on changing factors like costs and medical services covered. Electronic storage of medical records makes it easier for individuals, medical professionals, and insurance companies to access and share medical information. For example, it allows insurance companies to approve applications for coverage without the need for additional medical examinations.

Clearly, the intent of this easy “portability” and sharing of medical records is – or was – to lower the cost of health care. “Lack of care coordination can lead to inappropriate or duplicative tests and procedures that can increase health risks to patients and poorer patient outcomes,” wrote the GAO, noting that duplication of often unnecessary tests and examinations increase health care costs by from $148 billion to $226 billion per year.

Of course, HIPPA also spawned a raft of federal regulations intended to protect the privacy of individuals’ health records. Those regulations require all health care providers, insurance companies, and any other organizations with access to health records to develop and apply procedures to ensure the confidentiality of all “protected health information” (PHI) at all times, especially whenever it is transferred or shared.

So What’s Going Wrong Here?

Unfortunately, the convenience of having our health records online comes at a price. With hackers and cyberthieves constantly upping their “skills,” everything about us, from Social Security numbers to health conditions and treatments are at greater risk.

Health care is considered so important that the GAO has placed in on its list of the nation’s critical infrastructure; items considered “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the national public health or safety, nation’s security, or national economic security.”

Why are hackers stealing health records? Because they can be sold for lots of money.

“Criminals are aware that obtaining complete health records are often more useful than isolated financial information, such as credit information,” GAO wrote.

“Electronic health records often contain extensive amounts of information about an individual.”

While acknowledging that systems allowing health care providers and others to share health care information electronically may lead to improved health care quality and reduced costs, that easily shared information is increasingly coming under cyber attack. Hack attacks highlighted in the GAO report include:

  • In July 2014, Community Health Services, operator of acute care hospitals in non-urban markets located throughout the United States, reported that the Social Security numbers, patient names, birth dates, addresses, and telephone numbers of at least 4.5 million people had been stolen by hackers.
  • In January 2015, health insurer Anthem, Inc., part of Blue Cross and Blue Shield, reported that hackers had stolen “names, dates of birth, Social Security numbers, health care ID numbers, home addresses, e-mail addresses, and employment information such as income data” from about 79 million people.
  • Also in January 2015, Premera Blue Cross in Alaska and Washington State, reported that since May 2014, hackers had stolen the records of 11 million patients, including “names, addresses, e-mail addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, medical claims information, and bank account information.”
  • In May 2015, the University of California at Los Angeles (UCLA), reported that hackers had stolen data including “personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information” from an as yet undetermined number of UCLA health system patients.

“Data breaches experienced by covered entities and their business associates have resulted in tens of millions of individuals having sensitive information compromised” reported the GAO.

What Are the Weaknesses in the System?

First, if you think you can absolutely trust your health care provider or insurance company with your personal information, the GAO reports “insiders are consistently identified as the biggest threat.”

On the federal government’s side of the fault divide, the GAO laid blame on the Department of Health and Human Services (HHS).

In 2014, the National Institute of Standards and Technology (NIST) first published the Cybersecurity Framework, a set of recommendations for how private sector organizations can assess and improve their ability to prevent, detect, and respond to hacker attacks.

Under the Cybersecurity Framework, HHS is required to develop and publish “guidance” intended to assist all private and public-sector entities storing health care records to implement the framework’s information security measures.

The GAO found that HHS had failed to address all of the elements in the NIST Cybersecurity Framework. HHS responded that it had omitted some elements on purpose in order to allow “flexible implementation by a wide variety of covered entities.” However, stated the GAO, “until these entities address all the elements of the NIST Cybersecurity Framework, their [electronic health records] systems and data are likely to remain unnecessarily exposed to security threats.”

What the GAO Recommended

The GAO recommended five measures intended “to improve the effectiveness of HHS guidance and oversight of privacy and security for health information.” Of the five recommendations, HHS agreed to implement three and would “consider” taking actions to implement the other two.