22,453,356 - This number represents the amount of patient records that have been breached since 2005 at 595 healthcare entities, according to Privacy Rights Clearinghouse. Last week the Ponemon Institute released their Second Annual Benchmark Study on Patient Privacy and Data Security. Their results reveal a 32% increase in data breaches with 92% of the participants reporting they have had at least one breach in the last two years. Most of the breaches were due to employee mistakes and sloppiness –lost or stolen laptops or mobile devises, unintentional employee actions, and Third party (business associate) errors.
The black market is very lucrative for those who obtain and sell the information that healthcare entities are responsible to protect. In addition to patient data, patient insurance information can be used to make false or inflated insurance claims, obtain prescription drugs or receive treatment at the expense of the insurance account holder. A patient’s health record can be sold on the black market for $50 as compared to a social security number at $3, credit card information $1.50, date of birth $3, and mothers maiden name $6.
The examples of healthcare data breaches are many. At www.privacyrights.org you can access their data base of breach notifications. However, this list is not complete. In addition, many organizations choose to voluntarily notify patients of a breach when the nature of the breach falls outside of the scope of the mandatory notification requirements of state statutes.
I believe that healthcare entities need to understand that this not an IT issue. It is an area of risk that expands the entire organization. Leadership should undertake building a culture of security, look for ways to encrypt data, review the indemnification provisions with third party vendors, and have an Instant Data Breach Response Plan.
The insurance options are numerous and vary greatly. Don’t be fooled in thinking that all “Cyber” policies are alike or provide the same level of protection. We plan for other types of disasters, now is the time to address this increasing area of risk.
