The raid on your medical records
Millions of breaches, and hardly any consequences
After I got laid off from my job last November, I started shopping for health insurance and a funny thing happened: Bluecross Blueshield emailed me someone else’s application.
The only similarity between me and this other applicant was that we’re both named Karen. I live in New York; she lives in Virginia. We have different last names, different Social Security numbers, different health histories. I know this because all of it was contained in the application BlueCross emailed to me — and under federal law, all of it is supposed to be confidential.
By emailing me the other Karen’s health-insurance application, Bluecross violated the Health Insurance Portability and Accountability Act. An angry consumer could find plenty of grounds — breach of confidentiality, negligence — to sue.
I called the other Karen to tell her what had happened. She didn’t sound like the suing type. She thanked me for calling and said she’d contacted BlueCross to buy health insurance after she’d been laid off from her job.
Though shocking, Bluecross’ sin is just one small example of a massive problem. Every year, millions of people are exposed to identity theft. And as health records increasingly get digitized, the opportunity for data breaches will only grow.
For the millions of unemployed Americans, this possibility is particularly scary — and, it seems to me, particularly unfair. The unemployed not only have to pay usurious rates for health insurance, but they are also at risk for another kind of exploitation.
“It’s exposing people in a precarious financial situation to identity theft and fraud,” I. Glenn Cohen, an assistant professor at Harvard Law School and co-director of Harvard’s Petrie-flom Center for Health Law Policy, Biotechnology and Bioethics, told me. “When you’ve lost your job and are desperate about who’s going to cover your health insurance, it’s the last thing you want to worry about.”
Tell me about it. Yet such breaches keep happening because there are practically no consequences for those who are supposed to be safeguarding the information.
From September 2009 to October 2011 (the latest period for which figures were available), 388 of these breaches, affecting 19 million people, occurred through such means as hacked networks, stolen laptops, lack of encryption and improper disposal, according to the Health and Human Services’s Office for Civil Rights.
Among the most egregious cases, the California health insurer Health Net lost 1.9 million of its members’ records last year. Staggering. In 2010, the digital records of 1.7 million New York City Health and Hospitals Corp. patients were stolen from an unlocked van.
None of the entities responsible for these big breaches were fined; instead, some signed “resolution agreements” with the Office for Civil Rights requiring them to fix their systems.
Since the passage of HIPAA in 1996, the Office of Civil Rights has levied just $9.5 million in total related fines — money that went into its own coffers, not to the affected citizens.
State attorneys general can bring civil action against health care concerns to obtain damages for residents — but that has happened in only a few instances and typically only when tens of thousands were affected.
Victims are left to their own devices to seek remedies. In states with beefed-up privacy laws, including New York, consumers often try to sue. But unless they can show damages, their chances of winning are slim.
That will change only when there are strong disincentives for the invasion of privacy, whether or not quantifiable harm results. Losing peace of mind is harm enough.