Many of the breaches have already been publicized, but the continued improper release of information from a broad spectrum of sources highlights a growing problem as the government and the medical industry move more records online and into the cloud.
It is not only patients who are victims.
Blue Shield of California confirmed on Thursday that the Social Security numbers of 18,000 doctors were released when the insurance company inadvertently included them in mandatory monthly filings with California’s Department of Managed Health Care (DMHC). The release, in the late winter and spring of 2013, included doctor names, business addresses, business phone numbers and medical group names.
The mistake was discovered when various entities noticed the inappropriate information while querying public records on 10 different occasions. The letter (pdf) from the department alerting victims of their plight said the breach was discovered two months ago.
“We have no reason to believe that your personal information has been misused,” the letter assures, but they also have no reason to assume it hasn’t been. The lucky 18,000 win a one-year free membership in Experian’s ProtectMyID Alert.
It is an all-too-familiar story of lax security, inadequate processes and dumb moves. The Center for Health Reporting wrote that 32 million people had been victimized nationwide since 2009, although, presumably, some of them may have been victimized more than once.
The top 13 breaches accounted for 64% of all the victims. Four of them were in California. Health Net Inc. racked up 1.9 million victims in January 2011. There were 943,434 victims at Sutter Medical Foundation in October 2011, 729,000 at AHMC Healthcare in October 2013 and 514,300 victims at Eisenhower Medical Center in March 2013.
The granddaddy of breaches during that period involved 4.9 million victims at Tricare Management Activity in Virginia in September 2013.
Sometimes the breach is a result of theft, like the Sutter incident when a desktop computer was stolen from the foundation’s Sacramento office. Other times hackers wreak havoc from afar. But incident reports regularly highlight dunderheaded public postings of private information by personnel, lost hard drives.
Often, the information is unencrypted. That’s a security measure strongly recommended by just about anyone serious about the problem and is often part of any mea culpa plea by companies and institutions after they have been breached.
In the case of Blue Shield’s breach, both the insurer and state agency promised to revise the practices that led to the exposure and “prevent a recurrence of this type of incident.”