Since the shoddy launch of healthcare.gov in 2010, cyberattacks on Americans’ health records has risen “exponentially,” a Government Accountability Office report shows.
According to the GAO, the use of digital records allows healthcare providers to more easily share information and allow patients better access to their health data, among other advantages. However, the networks storing and sending health information in a digital format are “vulnerable to cyber-based threats. The resulting breaches—involving over 113 million records in 2015.”
In 2009, the number was far less with only 135,000 records breached. The number of reported hacks and breaches impacting data of at least 500 people spiked from zero in 2009 to 56 in 2015, which is nearly double from two years ago.
“The magnitude of the threat against health care information has grown exponentially,” GAO said, citing a 2015 study by the KPMG accounting firm.
The GAO describes potential adverse impacts including Loss of personal privacy, embarrassment, insurance fraud, disruption of healthcare services, or blackmail by criminal organizations, insiders and threat actors.
“Criminal organizations and/or insiders could access data on medical conditions for purposes of blackmail, public embarrassment, or (in celebrity cases) sale to media outlets. For example, in 2008, staff at UCLA Medical Center leaked/sold actress Farrah Fawcett’s medical records to tabloid magazines, exposing her medical treatment information,” GAO noted, warning that attempts to extort money or cause harm to people’s reputation by insiders with access to medical information is a potential issue.
Additionally, threat actors could tamper with digital health IT systems “to cause disruptions in the medical community. For example, a threat actor could access and manipulate health records in an attempt to harm patients or disrupt health care operations at a medical facility (for example, by changing patient prescriptions),” GAO reported.
A provision in the Affordable Care Act requires medical providers to change from paper patient records to digital records as a means to reduce costs and improve care, but some warned that patients’ privacy would be at risk.
“The thing I worry about is not that we are doing it, but that we’re doing it without the right safeguards,” Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, told Fox News in 2013. “We have been giving (medical providers) incentives to move into the electronic-health-records era. But we haven’t been giving them enough guidance on how they’re supposed to do it.”
Back in 2015, Anthem, the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, had a large data breach. Although The Centers for Medicare and Medicaid Services (CMS), which provides oversight to the websites HealthCare.gov and Medicare.gov, claimed federal government networks were not impacted by the breach, The Hill reported. The unprecedented large scale attack exposed the personal data of up to 80 million customers.
“We’re not talking with healthcare organizations as standalone entities anymore,” said Christopher Budd, a security expert with TrendMicro told The Hill. “They’re interconnected.” He added, “Those are basically roadways that attackers could be using.”