How to Protect Yourself From a Medical Data Breach and Avoid a Disaster
“Think of your identity like a puzzle,” she says. The more pieces you offer up to a thief—about an impending surgery, for example—the easier it will be to impersonate you.” -- Eva Velasquez
(Washington, DC) – Theft of your personal medical information is on the rise, despite stringent privacy laws intended to safeguard it, according to a new study in the Journal of the American Medical Association (JAMA).
The breaches of electronic health records can include a vast array of personal information, including your Social Security number and medical history. The theft is just the latest example of how all private data is increasingly subject to breaches, where credit card numbers, account logins, and more end up in the wrong hands.
“Patients have an expectation of confidentiality, and breaches are a failure to meet that expectation,” says study author Thomas McCoy, M.D., director of research at the Center for Quantitative Health at Massachusetts General Hospital.
McCoy and his co-author analyzed breaches of health data that were reported to the Department of Health and Human Services between 2010 and 2017. (A law passed in 2009 requires companies to inform HHS and affected individuals of any such breaches affecting at least 500 people.)
They found that breaches rose steadily almost every year. Healthcare providers, such as hospitals, had fewer than 150 data breaches in 2010; in 2017, that number had risen to 250. And though breaches of health insurers have risen more slowly, the sheer amount of data compromised in those cases means that more than 110 million such records have been breached since 2010.
What's the Risk?
When hackers steal health data, they can commit all kinds of identity theft—not just medical fraud, explains Eva Velasquez, CEO of the nonprofit Identity Theft Resource Center.
“Think of all the things you yourself can do with your identity credentials. You can apply for loans, you can get medical care, you can apply for government benefits,” says Velasquez. “Our medical data is rich with the [information] a thief needs to do all of that.”
Of course, you can’t just opt out of medical care, and “it really shouldn’t fall on a patient in distress to protect herself from this,” says Justin Brookman, director of privacy and technology policy for Consumers Union, the advocacy division of Consumer Reports. “We can’t expect that burden to fall on consumers. Security laws are weak in this country, and need to be stronger.”
In the meantime, however, there are some things you can do to help protect your health data. “Don’t be the low-hanging fruit,” Velasquez says.
What You Can Do
Don’t overshare. “The instinct within medicine—as well as in other industries—is to collect everything and keep everything, without taking the time to assess risks and benefits,” cautions Brookman. If you’re not sure why your doctor needs a particular piece of information, just ask whether it’s really necessary. For example, many standard forms ask for a Social Security number, but it’s often fine to leave that field blank, Velasquez says; that's a piece of personal information you should guard with extreme care. And don’t overshare on social media either, she advises: “Think of your identity like a puzzle,” she says. The more pieces you offer up to a thief—about an impending surgery, for example—the easier it will be to impersonate you.”
Know who you’re talking to. If you get a call or an email that claims to be coming from your insurer or your provider, don’t provide any personal information in response, Velasquez says. Instead, call your doctor directly or log in to your insurer’s patient portal, for example, to verify that the query is really coming from them.
Read the “explanation of benefits.” Your insurer routinely mails out these summaries of medical services rendered, with “This is not a bill” printed on top. But “take 30 seconds and scan the explanations and make sure it’s really for goods or services you received,” Velasquez advises. You should also take the time to briefly review everything mailed to you from doctors and your insurance company. If you spot anything suspicious, contact the provider or your insurance company; problems are easier to fix when they are spotted early.
Freeze your credit. “Unless you’re actively shopping for a mortgage, it’s better to have your credit frozen by default,” Brookman says. That prevents thieves (or anyone else) from opening a new line of credit, such as applying for a loan, in your name. Freezes are now free; here’s our step-by-step guide on how to use them.
Have a plan. If your medical information is stolen, first, it’s important to know what exactly was stolen. Having your Social Security number compromised is very different than having an account login compromised, Velasquez says, and the steps you need to take to address a breach will vary. That’s why you should consider seeking professional help if you’ve been informed of a breach or suspect one. Your home insurance, renters’ insurance, or employee benefits package may include identity protection services, Velasquez says, which can help you navigate what to do next in the event of a breach—see what’s available to you before you need it. The Federal Trade Commission can also generate a remediation plan for you and provide free assistance, as can the Identity Theft Resource Center.