Patient information privacy has been an important issue in healthcare management since the Healthcare Insurance Portability and Accountability Act was passed in 1996. But recent events show how important the topic has become for anyone seeking an MBA in health administration.
Chinese hackers allegedly stole 4.5 million patient records from Community Health Systems, a publicly-held healthcare provider that did just under $13 billion in revenue last year.
According to an SEC filing, CHS confirmed that its computer network had been under attack in April and June.
The Company and its forensic expert … believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company. … [I]n this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company.
CHS did have “cyber/privacy liability insurance” for losses. The data included “patient names, addresses, birthdates, telephone numbers and social security numbers.” The company will provide identity theft protection services to the affected consumers. But if the Health and Human Services Department decides to take action, expect the insurance rates to rise, because the potential penalties could be significant, to say nothing of what lawsuits might come its way.
Sadly, this isn’t an isolated incident. There have been more than 30 million people directly affected through healthcare providers. Almost 59 percent of the problems were data theft. The industry has apparently become the increasing target of cyberattacks. Last year, according to the Identity Theft Resource Center, healthcare companies accounted for 43.8 percent of all breaches. It was the first time the industry hit the top of the cyber insecurity charts.
Hospital records, like the ones taken from CHS, often have valuable personal information that enable identity theft. The potential damage to consumers is considerable and frequently ongoing. A case of identity theft can cause problems that can literally last years for a person.
The risk management issues for the provider can be equally damaging. Patients might sue over the loss of their data. Bad publicity can drive away consumers and damage the company’s brand. There is the potential for stiff penalties as regulators crack down on poor security. And fraudsters can use stolen medical records to get free healthcare, which becomes a financial burden on the industry.
Cybersecurity is no longer something that healthcare providers, nor their administrators and executives, can ignore.