ICIT report outlines ways breaches can ruin patients' lives


Healthcare executives’ “lackadaisical approach” to cybersecurity endangers the lives and futures of breach victims, who have little help or recourse for dealing with identity theft, according to a new report from the Institute for Critical Infrastructure Technology.

It looks at how healthcare information is exploited on the Dark Web, with the data often being sold multiple times. Such information also can continue to be sold for the rest of the victim’s life, the authors say in their tersely worded report, adding that "for some, such as children, this can drastically hinder their future financial stability and limit the potential lives that they could lead.”

The report lays out testimony the organization will present at a Senate hearing on Sept. 22.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

The authors also in the report write about cases where health security breaches negatively impacted individuals.

One example is a woman had a baby in Utah using the stolen medical identity of Anndorie Cromar to pay for the services. When the child was born with drugs in its system, Child Protective Services took custody of it and, assuming Cromar was a drug addict and negligent parent, went after custody of the real Anndorie Cromar’s other children. Cromar had to undergo a DNA test to remove her name from the infant’s birth certificate, and she spent years correcting her medical records.

“Once a hacker owns an EHR, they effectively own the victim,” the authors say. “Every patient record compromised from every healthcare organization has the potential to devastate and financially ruin a United States citizen.”

They say consumer protections have not kept up with the proliferation of data breaches. Meanwhile whole databases are sold through the Dark Web, usually in private, offline transactions, a practice that law enforcement struggles to stop.

The flow of data around a fragmented healthcare ecosystem also makes it vulnerable, with an HIMSS survey showing a lack of encryption of data in transit and at rest at many organizations.

It can be life-threatening if a person’s medical record is altered as criminals engage in medical identity theft--and the danger increases exponentially as the data is sold multiple times, the authors write.

Meanwhile, a new HITRUST paper urges organizations to move beyond prevention to cyber-resilience, accepting that breaches will occur and focusing on detection and response.

Suggested Articles

The Centers for Medicare & Medicaid Services released the MA plan star ratings for the 2020 plan year on Friday.

A New Orleans-based genetic testing company will pay $42.6 million to resolve False Claims Act and kickback allegations.

A three-judge appellate panel didn't appear convinced that Medicaid work requirements meet the law's objectives of providing coverage.