Medical records breaches on rise in Georgia as security efforts lag


In medical breaches involving 500 or more patients’ records, the health care entity that suffered the breach is required, within 60 days, to notify:

  • The U.S. Department of Health and Human Services
  • The affected patients
  • A local media outlet

In medical breaches of fewer than 500, the provider must notify:

  • HHS/OCR within one year.

  • Affected patients within 60 days.

Source: U.S. Department of Health and Human Services

The Federal Trade Commission offers these tips to detecting whether you’re a victim of medical identity theft

  • Read your medical and insurance statements regularly. They can provide warning signs.
  • Make sure claims paid match the care delivered. If not, contact your health plan.
  • Signs of medical identity theft include: bills for services not received, medical collection notices on your credit report that you don't recognize, and a notice from your health plan saying you reached your benefit limit.

Source: Federal Trade Commission

Last January, officials at a Floyd County hospice learned that a laptop containing the names, addresses, Social Security numbers, birth dates and medical diagnoses of 1,819 patients had been stolen from an employee’s car.

In a letter to the patients, Heyman HospiceCare said it would take “a more disciplined approach” to encryption — a powerful way to safeguard data on its laptop computers — and would be “re-educating staff” on securing such mobile devices.

Personal health information breaches in Georgia have affected nearly a half-million people in the last four years, according to a review of federal records by The Atlanta Journal-Constitution. And that includes just the major incidents — those involving at least 500 people — that were reported. Nationwide, these major breaches have affected 22 million.

Medical records breaches are part of a much broader identity theft problem: One study determined that U.S. victims of identity theft lost $21 billion last year.

Critics say those who touch health data are sometimes lax and they know it.

An annual survey of health care organizations by Ponemon Institute, a privacy management firm, found that 94 percent admitted confidentially that they had suffered at least one data breach. Most “say they have insufficient resources to prevent and detect data breaches,” said Larry Ponemon, head of the institute.

Laptop computer thefts resulting from break-ins of homes, cars and medical offices accounted for most of the incidents.

Advocates for greater security say physician practices and hospital systems have to do more to protect patient records. That means making sure that all electronic data is protected by firewalls, encrypted and robustly password protected, for example.

In Georgia, providers who have reported major breaches said they don’t know of any cases in which their patients have been directly harmed as a result of lost or stolen information.

That’s typical across the U.S. Stolen data might not be used by thieves because they don’t know what data is on the devices, preferring instead to sell the equipment for a quick profit, experts said.

In other cases, however, criminal rings that have included health industry employees steal information with the intention of using it in schemes such as tax and medical billing fraud.

In April, a federal grand jury in Savannah charged 12 people with crimes, including medical identity theft and tax fraud, after they were arrested in Statesboro. Federal officials did not provide many details, but said those charged were “misusing medical records.”

The potential for medical breaches is growing, some experts say, with the rapid, government-led shift to electronic medical records from the traditional paper system. That allows the sharing of patient information among providers, which can help improve care. A Georgian with a sudden medical crisis who goes to an emergency room in Florida during a vacation, for example, may benefit from doctors there having fast access to all pertinent patient information.

There can be security consequences, though. “The move to electronic records has created a privacy firestorm,” Ponemon said. “We do see a lot of organizations struggling with managing the data.”

While financial loss is a main threat when health records are taken, just as in a credit card or banking data theft, there is also the prospect of discrimination and extortion based on exposure of a patient’s condition or treatment.

“Health information is the most valuable information of all,” said Deborah Peel, a Texas physician and national advocate for patient privacy rights. “It’s about your mind and your body.”

Advocates for stronger security recommend that health industry employees should have limited access to records, that they be monitored while using them, and that they be constantly instructed in how to safeguard information.

Experts say it may not be possible to prevent all medical records breaches, because human error and some crimes can’t be prevented.

Jim Kegley is president and CEO of U.S. Micro, an IT data security firm founded in Atlanta that removes the data from electronic devices like smart phones and laptops that health care providers no longer use. He said 6 percent of the devices that the company processes have their passwords taped to them — an open invitation to a thief to take the data.

“It’s inevitable that things are going to happen,” said Georgia Tech professor and health information security expert Douglas Blough, the victim of two breaches himself. “There is no silver bullet here. This data is out there and accessible and the problems are wide ranging.”

James Morrow, a family physician in Cumming and a member of the Electronic Health Care Committee of the Medical Association of Georgia, said, “It’s easier to protect the electronic record than the paper record.” But, he said, providers still must make sure they have the proper security measures in place, educate their employees and monitor procedures constantly.

The cost to add protection is a factor, more so for smaller providers. Larger providers also fear that security barriers might interfere with patient care.

Heyman said its stolen laptop was “protected by additional security software that would make it difficult for the average person to access any information.” But it was not encrypted, which has been called “the gold standard” of data security, even if it does not guarantee safety.

Heyman said it had “no reason to believe” the data from the laptop, which still hasn’t been recovered, has been used improperly.

Two of Georgia’s medical records breaches show how human error, criminal intent, or both can play a role.

On Jan. 2, Family Health Enterprise, a non-profit primary care services provider in Atlanta, notified about 3,000 of its patients of a breach of unsecured personal medical information from a mammogram program after its office was broken into and two laptops were stolen.

After the break-in, executive director Edith Mata said the center planned additional security steps, including building a wall in the offices to protect files.

In the largest reported incident in Georgia, Emory Healthcare last year discovered that 10 backup computer data discs from an obsolete and discontinued software application could not be located. They contained the names, diagnoses, surgical information and, in most cases the Social Security numbers of more than 300,000 patients over a 17-year period.

The data was not encrypted and was stored in a cabinet in an office. The office was locked at night and access to the hallway could only be gained with a security badge, but the cabinet was not locked.

The discs haven’t been found.

“We think they may actually have gotten disposed of with some trash,” said president and CEO John Fox, who had some personal health information lost in the breach.

Emory said it isn’t aware of any further patient harm from the loss. But it spent more than $1.7 million to mitigate the breach and pay for credit monitoring services for the affected patients.

Fox said a specific security protocol was not followed and that an employee “misinterpreted our policy.”