In Wake of Medical Record Hacking, What Can Patients Expect?
August 19, 2014
Mary K. Caffrey
Reports that information on 4.5 million patients from 26 states had been hacked from more than 200 hospitals stunned consumers and the health care community yesterday, even though experts in health information technology have warned of this possibility for some time.

News of the hacking incident within Community Health Systems comes as the top US official charged with overseeing the nation’s health information technology (HIT) is trying to educate patients about what to expect about the use of their healthcare information.

Karen DeSalvo, MD, National Coordinator for Health Information Technology, said that while patients expect their medical records to be confidential, most accept that information is shared as long as it leads to improvements in their health or the health of others. As Dr DeSalvo said in a recent interview with AJMCtv, many patients expect their medical records to be digitized.
“It means our responsibility, then, is that as health IT, whether we’re government, vendors, or providers, is to do everything we can to fulfill that vision for them … but only when and where they need it.”

On July 1, a report in POLITICO warned that a major hacking event involving health records was “only a matter of when,” if it had not happened already. Turns out it had, for according to a filing yesterday with the U.S. Securities and Exchange Commission, patient data was likely hacked in April and June from Tennessee-based Community Health Systems, which operates mostly rural hospitals across the United States.

According to published reports, hackers had previously attempted to steal information on hospital operations, then moved to patient data. While the criminals did not steal medical information, it doesn’t appear that’s what they wanted: instead, they stole personal data such as Social Security numbers, birth dates, and other information that would permit the creation of phony bank or credit card accounts. This data is protected under the Health Insurance Portability and Accountability Act, (HIPAA).

In her interview with AJMCtv, Dr DeSalvo discussed a security risk assessment tool currently being offered by the ONC to providers which is meant to raise awareness of patients’ expectations and knowledge of appropriate usage of electronic health records.   

Patients might not grasp why another person would want their records. But a report in InfoWorld explains the value of a medical record to an uninsured person, especially one in need of an expensive medical procedure: As the report explained, an uninsured person who needs a $1 million heart transplant could pay $250 for a stolen record and a fake ID to get treatment.

This is why it is critical for patients to scrutinize bills, in case they appear to be billed for procedures they did not receive. It could be a mistake, but it could be fraud.

Around the Web

Dr Karen DeSalvo on Sharing and Protecting Medical Information

Big Cyber Attack of Health Records ‘Only a Matter of Time’

Community Health Systems Hack Attack 4.5 Million

Why Would Chinese Hackers Want Hospital Patient Data