Not merely lost: What happens to stolen health records
Thanks to their precious mobility, laptops, tablets, smartphones and portable drives are all too easily forgotten, misplaced, stolen or otherwise left behind.
That presents something of a quandary, not surprisingly, in terms of HIPAA Privacy and Security requirements.
“If you look at the reported breaches that have been submitted to HHS a fair number of them involve portable media devices,” Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues and frequently helps clients craft breach notification told Government Health IT during this interview.
“Part of the problem is that the encryption standard under HIPAA has been addressable, meaning it’s not a hard and fast requirement, rather it's supposed to be something that providers assess their ability to comply with and comply with if feasible. But it’s not an absolute requirement — and that has created some opportunity in organizations for people to take the obligation to encrypt mobile devices maybe less seriously.”
[Listen to Micky Tripathi, CEO of the Massachusetts eHealth Collaborative explain the compelling reasons all hospitals should encrypt their data. Play in a new window]
Whether that addressable nature will change in the highly-anticipated omnibus final rule for HIPAA Privacy and Security data breach notification — still in ‘extended review’ within the Office of Management and Budget — remains to be seen.
What’s more, the general lack of clear delineation within the regulations between records that are lost and those stolen by thieves specifically targeting the health data yield two very different categories errantly lumped together.
“Records that are lost are not that uncommon,” said Pam Dixon, founder and executive director of the World Privacy Forum. “We have heard of records being found in attics, and even folks from health care providers have told us their tales of finding stacks of ancient records when they went to move to a new warehouse or digitize their files. Records on genuinely lost laptops are also not as at high of risk as records that are intentionally stolen.”
Those records that are maliciously thieved, however, can ultimately find their way into what Dixon called "thriving" grey or black markets in myriad ways.
“Records are typically cured for anywhere from a few months to a year or more, then usually they are used to commit billing fraud or some other form of identity theft,” WPF’s Dixon explained. “Synthetic forms of medical and ID theft are on the rise, this is where bits of identities are pasted together. It makes the crime much more difficult to detect.”
Clint Furhman (pictured at right), national director of healthcare for risk assessment specialist LexisNexis, added that other uses include opening credit card accounts, getting prescription drugs, Medicaid billing, even obtaining fraudulent care.
“Most commonly, the data stolen in these types of cases is used to commit Medicare-related fraud, which most estimate to be in the neighborhood of $65 billion per year,” said Edi Goodman, chief privacy officer at IDentity Theft 911. “In fact, this type of fraud has become such a rampant problem within the Medicare system that there has been a significant increase nationwide in fraud squads.”
And then there are the truly unique, if not altogether surprising, ways criminals put stolen data to work.
“We are now beginning to learn of crimes where the data is used for marketing. Odd but true. I have been told several anecdotal stories by law enforcement that what gets marketed is the overseas Internet pharmacies. ‘Buy cheap medication here!’ That sort of thing,” WPF’s Dixon added. “I began hearing about this two years ago, and then got it confirmed again in April when I started to interview law enforcement about updates to the issue.”