Your doctor may be putting your personal data at risk
Hospitals, practices had more breaches than ever last year
Are we sharing too much of our personal health data?
It’s a question worth asking after massive breaches of our personal health data in recent years and reports that, even in low-tech settings like a hospital waiting room, privacy protocols are faulty.
According to the health trade publication HIPAA Journal, more hospitals and doctors’ practices reported breaches in 2016 than in any other year since the Department of Health and Human Services’ Office of Civil Rights, which collects data on leaks, started publishing breach summaries in 2009.
Among the latest leaks: Bronx-Lebanon Hospital Center in New York City left patients’ names, home addresses, medical and mental health diagnoses, addiction histories, HIV statuses and even sexual assault and domestic violence reports exposed online. The culprit: A misconfigured backup server that stored the medical data.
Two years ago, Anthem notified 80 million customers that their personal health information may have been stolen after the insurer was hit by a sophisticated cyberattack.
Make no mistake, those vast databases give health care providers a comprehensive view of their patients’ health, an advantage that easily could be lifesaving in an emergency. The down side is those databases put our most private information at risk for exposure.
Hospitals, insurers, doctors and government agencies didn’t
pay “much attention to privacy and security” in their rapid efforts to digitize a lot of health data and aggregate it electronically, says Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, a digital liberties non-profit.
Even the choice of paper envelopes can make your private health data public to unwanted views. Insurer Aetna recently told its customers that it was aware of a late July “privacy breach” after it mailed prescription information in envelopes with large, clear plastic windows. Two legal groups representing individuals with HIV had notified Aetna after the patients received envelopes exposing their participation in HIV prevention or treatment programs.
SHOCKED? DO THIS
As scary as these examples are, the solution isn’t to stop seeking medical treatment. Patients can take some steps to protect their data and their privacy.
One thing to do is a reference check on your insurer, hospital or health care provider by visiting the Office of Civil Rights’ list of providers that have experienced breaches, sometimes referred to as the “Wall of Shame.” Since July 1 alone, 35 breaches have been reported and are under investigation affecting more than 850,000 individuals.
You can also report basic human negligence to a hospital or physician practice’s privacy officer if you experience the low-tech ways privacy breaches happen — from a computer printout left in a trash can or a computer screen left visible to anyone with a decent pair of eyes.
Patients can also demand their hospital or doctor follow these best practices:
In the waiting room, limit the information asked for on a sign-in sheet (for instance, don’t ask the reason for their appointment).
Instead of calling someone out loud by their full name, only use their first name and the initial of their last name.
If there’s a board listing names, use the same protocol.
Here’s one story that didn’t have to happen: A couple of years ago, my husband checked into UNC Health Care in Hillsborough, N.C., for an outpatient procedure. In the waiting room, I couldn’t help but notice a computer that listed all the scheduled patients that morning: Name, age, doctor and procedure. No screen saver came on during the hour I sat there.
Appalled by the dearth of privacy, I took a photo of what I had seen and then reported the problem to a staff member. She didn’t seemed fazed by the disclosure but said she’d relay the breach on up the food chain and that someone would be in touch. When I did get a response back, it was from the hospital’s legal department — rebuking me for taking a photo of the computer screen listing the patient names.
Then earlier this month, now two years later, a friend of mine whose wife gave birth at a different UNC Health Care facility told me that he’d seen the same thing — a computer screen left open for all to see.
When I spoke with the UNC chief privacy officer, David Behinfar, he said he couldn’t discuss specifics of those incidents, but said “we need to take much more care of our electronic health records” speaking both about UNC Health Care and other medical institutions. This includes “simple privacy practices,” such as the purchase of screen protectors and the requirement that staff must re-enter password and login information after a short timeout. Be on the lookout for these precautions.
Simple stuff ? Yes. But look only to the “Wall of Shame” to note how many breaches are the result of “improper disposal” of records, theft and loss.
WHAT MORE YOU CAN DO
Ask your health care provider or medical institution about their security measures. If they don’t know, find out who does. Data should be encrypted, “not left in plain text and vulnerable to criminals,” says Bob Diachenko, the chief security communications officer at Kromtech Security Center who discovered the Bronx-Lebanon breach. Regular security audits are a must.
Don’t provide your Social Security number on forms, says UNC’s Behinfar, who fears the “devastating effects” of identity theft if the data is hacked.
Speak up if you witness a breach.