Protecting Personal Health Information from Theft and Fraud

By Jenna Sherman


Credit card numbers aren’t the only type of personal data that hackers are after. Medical records and personal health information are increasingly a target of data breaches, with millions of medical records exposed in 2019 alone. These records are fetching high prices on the black market, where they’re mined for information that can be used to open fraudulent financial accounts and even rack up medical bills.


Like other forms of fraud and identity theft, protecting personal health information requires a proactive approach from consumers and providers alike. This guide presented by Fraud Stoppers introduces the basics of medical data theft and the steps patients and providers can take to prevent it.

Medical Data Breaches are On the Rise

  • Healthcare Finance reports that “more than 93% of healthcare organizations have experienced a data breach since Q3 2016, and 57% have had more than five data breaches during the same timeframe. Not only has the number of attacks increased, but more than 300 million records have been stolen since 2015, affecting about one in every 10 healthcare consumers.” Read more.


  • “But once hackers get their hands on a medical file, what do they actually do with it? It depends, according to Cantrell. ‘Sometimes they’re compromising this data and we don’t know how it’s being used, when or if it will be used to compromise those individuals’ identities,’ he said. But increasingly, hackers are selling the information for profit on the black market. According to Reuters, buyers might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false insurance claim. Read more.


  • “After an extensive forensic investigation and manual document review, Aloha Nursing Rehab Centre learned that ‘one or more of the files accessed by the unauthorized party on or about July 8, 2022, contained personal information pertaining to a limited number of individuals, such as full names, dates of birth, Social Security numbers, financial account information, driver’s license or state identification numbers, medical record and/or patient account numbers, health information, and health insurance information.’” Read more.

Who Has Access to Personal Health Information?

  • com notes that there are some exceptions to HIPAA privacy rights. For example, “life insurers, employers and some school districts are exempted from these laws. Government agencies such as Medicare or the Social Security Administration may examine your medical records for purposes of establishing eligibility for certain programs.”


“Your healthcare providers in their discretion may also release medical records without your written authorization in the following circumstances, among others: to insurance companies for purposes of processing health insurance coverage, billing or claims management; to professional societies and research organizations who are reviewing health care providers or doing medical research; to employers if they are evaluating workers compensation claims.” Read more.


  • “The legal right of businesses to harvest and sell the information of individual patients without their permission has been upheld by the US supreme court, thanks to a case in which conservative justices ruled in favor of IMS Health and against the attorney general of Vermont. In 2011, the high court struck down a Vermont law restricting the sale, disclosure, and use of records that revealed the prescribing practices of individual doctors, ruling that corporations’ right to free speech trumped individuals’ right to privacy.” Read more.

What Consumers Can Do to Protect Themselves

  • Reuters: “While the risk of theft is real, Chris Carmody, senior VP of infrastructure and services and president of ClinicalConnect Health Information Exchange at the University of Pittsburgh Medical Center, doesn’t suggest doing away with electronic records. “They empower patients,” he explained. “So the message shouldn’t be to ask your doctors to stop using electronic records, but rather to ask what they are doing to protect your data.’” Read more.


  • If you or a loved one will be going into assisted living or a nursing facility, ask each facility directly about what cybersecurity measures they are taking to protect their residents. Threat Blockr explains that they should be doing the following: training staff in cybersecurity measures, implementing multi-factor authentication, setting up a cybersecurity-focused technology stack, ensuring backups are protected and stored off site, and creating a robust disaster recovery plan. Read more.


  • The FTC recommends that consumers “ask each of your health plans and medical providers for a copy of the “accounting of disclosures” for your medical records. The accounting is a record of who got copies of your records from the provider. The law allows you to order one free copy of the accounting from each of your medical providers every 12 months.” Read more.


  • And Experian tells consumers to “review your credit history. Most medical ID theft is first detected when a victim gets a collection notice for an unpaid medical bill. Checking your free annual credit report from the big three credit bureaus — Equifax, Experian and TransUnion — will show any unpaid bills. You can get your free annual reports at Beware other sites that might try to charge you or steal your information.” Read more.

How Medical Practices Can Protect Health Information

  • According to The Chicago Tribune, “health care providers, in general, tend to spend less on data security than companies in other industries. The shortfall is all the more glaring considering the sensitivity of the data.” Read more.


  • “Data encryption is required by HIPAA when transmitting PHI over open networks as a way of safeguarding PHI. Data encryption scrambles text to make it unreadable if it gets in the hands of a person who doesn’t have a ‘key’ to unlock it. Many software programs have data encryption capabilities built-in, or you can use third-party resources. It’s important for everyone in the practice to understand what steps to take to encrypt data that includes PHI.


However, data encryption is not completely fail-safe, so experts caution that you shouldn’t rely on data encryption as your only defense against healthcare cybersecurity breaches.” Read more.


  • According to the American Medical Association, “Once a covered entity knows or by reasonable diligence should have known (referred to as the “date of discovery”) that a breach of PHI has occurred, the entity has an obligation to notify the relevant parties (individuals, HHS and/or the media) “without unreasonable delay” or up to 60 calendar days following the date of discovery, even if upon discovery the entity was unsure as to whether PHI had been compromised.” Read more.

Take Steps to Protect Vulnerable Patient Information

As healthcare records go digital and pass through more hands than ever, the risk of data breaches will continue to grow. It’s up to healthcare providers and business associates to ensure their cybersecurity practices comply with HIPAA not only in name but with certifiable proof. In the meantime, consumers should talk to their medical providers about the steps they take to protect personal health information and choose organizations that put privacy first.


If you or someone you love has been the victim of fraud, contact the Fraud Stoppers!


Image via Unsplash

Spread the love