The theft of about 780,000 online medical records by unknown hackers from state computers in Utah is sounding alarm bells about the protections of sensitive data.
Last month, hackers stole the data of hundreds of thousands of Medicaid recipients and participants from Utah’s Children’s Health Insurance Program, including the Social Security numbers of about 280,000 of them. Child records are specifically valuable to criminals because their lack of a credit report or bank account makes it difficult to monitor them for identity theft, leaving their data open for exploitation for years before it is uncovered.
Utah’s Department of Health said it was cooperating with the F.B.I. on its breach and working to notify victims, suggesting that Utah’s Medicaid and Children’s Health Insurance Plan recipients, as well as anyone whose health-care provider might have submitted information to the state for Medicaid coverage within the last four months, monitor their credit and bank accounts.
Utah Gov. Gary Herbert this week called the compromise a “completely unacceptable breach of trust,” offered an apology and announced a “comprehensive” response to the massive data breach, including the resignation of Stephen Fletcher, director of the state’s Department of Technology Services. The state also offered victims free credit monitoring.
These kinds of patient data breaches are surging, underscoring the need for greater privacy protection. According to the Ponemon Institute, data hacks in healthcare rose more than 30 percent this year, with 96 percent of healthcare organizations reporting at least one breach involving patient information over the past two years.
As part of a 2009 stimulus bill, the U.S. government pays incentives to doctors and hospitals that adopt electronic health records. As a result, more than half of office-based physicians now use digitized records and the number is steadily growing, according to the Centers for Disease Control and Prevention.
Electronic medical records are a treasure trove of personal information, as the Utah breach reflects, including names, Social Security number, birth date, insurance information and personal health details, making them a prime target for hacking and theft.
Utah officials report hackers were able to break into a Medicaid eligibility server, used to validate claims of retirees and others, in part because the security tools on the computer server were not installed properly. Also, much of the vulnerable data should have been deleted from the server once the claim was validated, but they were retained as records.
Some of the exposed data was indecipherable, or disconnected from a name, making it hard to assess the full damage. Investigators have traced the hackers’ IP address to Eastern Europe, but haven’t identified any suspects.
Hospitals and physicians are likely to search for better ways to bridge the gap between security practices and digitized data. More than 80 percent of physicians now use a smartphone, according to Manhattan Research, to do more patient-focused activities, such as communicating with patients via text messages, checking EKG or other test results and sending patient alerts and reminders, adding to the complexity of the protection issue.
Hospitals, consulting firms, insurers and other big organizations that handle digitized, sensitive patient information expect to increase privacy protection, providing an emerging market for enterprise-class, healthcare-specific device and records security amid growing consumer awareness.
“The people of Utah rightly believe that their government will protect them, their families and their personal data,” Herbert said. “As a state government, we failed to honor that commitment. For that, as your governor and as a Utah [citizen], I am deeply sorry.”
Credit monitoring and commitment to improve are two consolations for those affected by the Utah breach, but will hardly be enough as medical records zoom towards digitization and hackers hone their skills.