slides: 69,000 Oregonians Hit by Health Data Breaches
Friday, March 06, 2015
Fifteen businesses, including Oregon Health and Science University, Portland Veteran Affairs Medical Center, and Lower Umpqua Hospital, each compromised private information for over 500 of their clients. However, some breaches affected as much as 17,000 people.
SLIDES: See the Security Breaches BELOW
Health data breaches can lead to medical identity theft, a growing problem with serious consequences for victims, according to Bob Gregg, CEO of ID Experts, a company specializing in data breach prevention and response.
“It’s not an overstatement to say medical identity theft could kill you,” said Gregg. “It’s the fastest growing identity crime in the country.”
When records gathered by health organizations are breached, information on medical history and insurance is compromised. Gregg said this information is used to purchase medical supplies and services, or harvested by health providers who use it to bill Medicare or Medicare for services never rendered.
However, Gregg said the consequences for medical identity theft victims are more serious than having to cancel a credit card.
“If you got to the ER and you’re unconscious, you can’t talk to the doctors when they pull up your record and your drug allergies or even blood type has been changed,” Gregg said.
In 2014, 2.3 million Americans were victim to some form of medical identity theft, a 23 percent increase from the previous year, according to a study by the Ponemon Institute.
The growth is because the montaryvalue of the medical information is 10 to 50 times more valuable than Social Security numbers, according to Gregg.
If personal information is compromised in a data breach, it is important to act quickly. Paul Stephens is the Director of Policy and Advocacy at Privacy Rights Clearinghouse, a nonprofit consumer rights and privacy advocate.
“If it involves your Social Security number, you need to look into a credit report freeze and Social Security freeze. If it’s medical information, you want to monitor the explanation of benefits from your insurance carrier,” Stephens said.
Of the sixteen health data breaches in Oregon since 2010, 11 resulted from thefts of papers or laptops. Stephens said these cases are generally carelessness on the company or employer’s part.
“They’ll lose a laptop and it won’t be encrypted,” Stephens said.
The Government’s Role
Under the federal HITECH Act, health security breaches that affect 500 people or more must be reported to the Secretary of Health and Human Services.
In Oregon, businesses are required to notify anyone whose information may have been compromised in a breach. However, they do not have to report it to any state regulators, such as the Oregon Attorney General.
Last December, Oregon Attorney General Ellen Rosenblum urged the Oregon Senate and House Judiciary Committee to expand the state's data breach law and require breaches be reported to her office, giving her enforcment power.
“As technology changes, so must the legal infrastructure which protects that technology. Oregonians want—and should—know who is collecting their personal information and data, how it is being used and protected, as well as to whom it is being sold,” Rosenblum said in her testimony.
Only fifteen states have laws that require data breaches be reported to state police.
Gregg said he has been lobbying this year in Salem, urging legislators to require medical identity monitoring in the case of a breach, along with financial monitoring.
“90 percent of the public has no clue what medical identity theft is,” Gregg said. “They have to start understanding the biggest risk for citizens of Oregon in breaches of this kind.”
Related Slideshow: Oregon Health Data Breaches
The following are health data breach reports from Oregon as listed on the Department of Health and Human Services Office of Civil Rights website.
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary.