Earlier this month, two San Francisco hospitals reported that 900 patient records had been compromised. The two hospitals involved were San Francisco General and Laguna Honda. The San Francisco Public Health Department was notified and began their investigation at once. They found that a former employee of Nuance Communications was at fault. Nuance is a third-party vendor to both hospitals providing voice recognition software for medical transcription.
The Public Health Department is partnering with Nuance Communications to get to the bottom of the breach and mitigate the damage as quickly as possible. The former employee at Nuance illegally accessed the patient records of about 900 patients from the two San Francisco hospitals. The lost data included names, dates of birth, details about patient’s conditions and diagnoses. It did not include any social security numbers, financial information, or driver’s license numbers.
The patient records were accessed between November 20th and December 9th of 2017. The health department confirmed that all patients affected had been notified.
In a statement, Roland Pickens, the director of the San Francisco Health Network said, “We sincerely apologize for any inconvenience or concern that this situation may cause. All of our vendors are required to attest to the protection of patient privacy, as part of their contract, and we continue to audit and improve upon that process.”
After an investigation by the U.S. Department of Justice, authorities said they believed the stolen information had not been offered for sale online. They also stated that all personal data from patients had been safely recovered from the former Nuance employee.
A Health Department spokeswoman said that the investigation was still ongoing and that all parties were working together in harmony to resolve these issues as quickly as possible. They assured the affected patients that their personal medical information had been recovered and that the risk of damage from the breach was minimal.
Patient medical data has become a hot target for cyber thieves because it usually contains a great deal of information about the patient. Hospitals collect many types of personal information from patients including names, addresses, phone numbers, social security numbers, driver’s license numbers and detailed information about the patient’s medical condition. This type of information is considered high-value by cyber thieves because it has so many different uses. For instance, knowing the medical condition of a person would give criminals an arsenal of tools with which to defraud the patient. In many cases, patients who lose this type of information feel vulnerable. Patients often already feel as if they’ve lost control due to their compromised health condition. But then, a cyber-criminal steals their personal data and they feel as if they’ve been attacked again.
For these and other reasons, hospitals and healthcare organizations must be especially careful when dealing with patient records. HIPAA guidelines provide doctors and hospitals with a full set of standards regarding the processing of patient data. The agency seeks to reduce fraud, waste, and abuse while delivering better health care to individuals.
In 2014, 56,000 medical records were stolen from patients at San Francisco General, along with a few city-run clinics. In this case, as in the last one, a third party vendor was responsible for the breach. An employee of Sutherland Healthcare Solutions, a billing company doing business with the hospital, stole the records in order to sell them on the Dark Web, where they might have brought thousands of dollars.
In February of 2015, Anthem Health Insurance experienced a data breach where 80 million company records were breached. To date, this has been the largest attack on hospitals, insurance providers, and healthcare. Investigators said that cybercriminals were able to break into the insurance company’s servers and steal the records.
Officials say that they expect data breaches at healthcare organizations to rise over the next few years. The reason? The information that cyber thieves can collect is so thorough that it allows thieves to assume the identity of the person. Once they do this, they can set up new accounts, access the patient’s bank account, or use their credit cards.
In past breaches, hospitals and health care providers have lost patient records via numerous ways. The top four methods used were:
In some cases, personal patient info is exposed due to technological glitches in the software or hardware that a healthcare provider uses.
In response to the two latest breaches at San Francisco General and Laguna Honda, hospital officials said they were strengthening their security practices. Many security experts believe that every organization, whether private or public, should treat cyber security as a boardroom topic instead of an IT issue. The rise in healthcare breaches confirms that.