I was recently in the car listening to Janis Joplin’s “Take Another Little Piece of My Heart,” and it triggered a conversation I had a while ago with a banking executive regarding the similarities and differences between financial and health data breaches. While we agreed that financial breaches – on the surface – appear to be the most taxing on the affected individual (stress due to working with financial institutions to recover missing funds, late fee charges, interest, credit worthiness issues, etc.), I informed him that health data breaches take a more personal and longer toll on the affected party simply because you are now at the mercy of the individual who is now in possession of your data.
Let’s look at why this is the case.
Once you have been notified of a financial breach – either by your financial institution, the breached entity itself, or by discrepancies in your account – you take the normal steps of working with these entities to shut down the account, work to identify and rectify any fraudulent purchases, sign up for credit monitoring (which the breached entity usually covers for a short term period), get a new account established, and ultimately, you return to your life.
Sadly however, you receive no such relief or graces when it comes to a health data breach. You can’t simply request the covered entity (company providing the healthcare service) or the business associate (third party service providers to the covered entity) provide you a new account and get “free monitoring” as to the use of your stolen health records.
Reality settles in when you realize that the information that is supposed to be private between you, your family and your doctors, is now assumed to be floating around somewhere – in some manner – on the Internet. Once your health data is breached, assume anyone and everyone will have access to your medical history. Your physical-medical background (aches and pains), your mental-medical background (psychiatric evaluations), your prescriptions, etc., are now likely somewhere on the Internet. You’re now left with hoping this information never falls in the hands of a fraudster to be used in an inappropriate manner. Sadly, as we know all too well, hope is not really an option. Such data can be used (as has been reported in the 2013 Survey on Medical Identity Theft conducted by the Ponemon Institute and sponsored by Medical Identity Fraud Alliance) for defrauding the healthcare system via bogus medical service and product claims, costing taxpayers in the billions. Also, knowing that your data can pop up anywhere and at inconvenient moments (Facebook, blogs, etc.) in the form of cyberbullying, or worse, blackmail, should send chills down your spine as to the various possible missuses of your health data.
What has disturbed me in all of this is that I have yet to identify a single report of any hospital, nursing agency, or similar healthcare entity offering free or compensatory services as a way to help heal and sustain the customer relationship. They know they messed up and the truth of the matter is that you can never get your medical history back into the confidential lockbox. The breached entities are now waiting for the class-action lawsuit to hit them (and even for personal lawsuits down the line) and the only monitoring they may be doing is of their own finances as they prepare for hefty payouts to the injured parties, as well as in fines imposed by Health and Human Services (HHS) who govern the use of protected health information (PHI) via HIPAA.
Hospitals, medical centers, and the like are continuously investing in new medical technologies (scanners, lasers, etc.) as they should; however, technologies to ensure patient data protection should not play second fiddle. We see advertisements on television and magazines as to how these entities are investing in new technologies, but less face it, it’s simply not sexy (for lack of a better word) to mention on TV or in a glossy ad “…we utilize the latest network and enterprise encryption and monitoring technologies across our enterprise. Furthermore, our superior data access controls and periodic policy reviews help to ensure your medical records are safe”.
Until we can start to see covered entities and business associates working to maintain and sustain trust in their patients by continuously ensuring there is adequate financial and human capital to support technologies and programs to safeguard health data, then health data breaches may move from becoming extraordinary to becoming ordinary.
And if that occurs, “Take another Little Piece of My Heart” may actually have an entirely different meaning.
Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn