What To Do After A Medical Data Breach
By Adrian Johansen, freelance writer; @AdrianJohanse18.
When most people visit their health professional, they go in confidence that they are in good hands and the confidentiality of their health issues and personal information is protected. After all, who can a person trust more than their doctor? Unfortunately, while patients are safe a majority of the time, there is the chance that a data breach could result in the release of private information.
This breach could be because of a computer hacker, a system breakdown, or even a natural disaster. In any case, the healthcare organization is responsible for keeping patient data secure. If they fail to do so, then they must do damage control and patients must do what they need to in order to protect themselves. Here is a breakdown of what is expected of these companies and what consumers should do in the event of a medical data breach.
The Responsibility of Health Companies
When the Health Insurance Portability and Accountability Act (HIPAA) was officially enacted in 2003, it set a precedent that health organizations must ensure that all patient information is private and confidential. Along with that came the HIPAA security rule, which says that the same organizations must perform risk analysis and have the proper safeguards in place so that data cannot be stolen or leaked to unauthorized individuals.
While many organizations have the proper barriers in place to protect the loss of data, there have been instances where significant breaches have resulted in major leaks. The data leaked in such a breach can include everything from patient names and addresses to Social Security numbers, which can be used to conduct identity theft. If you discovers that a breach has occurred and it affects your patients’ data, then you must take action. You should also prepare for your patients to do the same — often in the form of lawsuits.
Back in 2014, UCLA health was involved in a class-action lawsuit and had to pay out $7.5 million after hackers broke into their system and copied or stole the records of 4.5 million patients. Another such breach took place recently in 2019 when the teaching hospital at the University of Connecticut was infiltrated. In this instance, the hackers accessed employee email accounts, which also potentially contained patient records and Social Security numbers. The related class action suit is still pending.
Health Companies Need Contingency Plans
It is the responsibility of health companies to keep patient data intact and protected. First and foremost, as soon as it is confirmed that a data breach has occurred, the company is responsible for informing all patients or customers of what has occurred and what those who have been affected should do. The company must act swiftly to find out the reason for the breach and contain it so no further damage can be done.
Before a data breach can occur, all health organizations should have a disaster recovery plan in place. This type of plan is intended to minimize the damage of any number of disasters, including hackers, terrorism, and even natural disasters. Risk assessments must be completed to see how vulnerable the systems may be to any of these incidents and preparations must be made to minimize the negative impact of such an event.
Furthermore, health companies need to train their staff on the importance of cybersecurity and how to avoid threats much in the same way as their patients do on their home networks. Such measures as creating complex passwords, making sure there is a proper backup system in place, and avoiding phishing attacks are all imperative to protecting our data. When health and security is at stake, there should be no margin for error.
What Patients Must Do After a Breach
If a patient discovers that their personal data has likely been stolen, inform them that they must take immediate action. They need to ensure that their Social Security number and other account numbers aren’t being used to set up credit cards and make purchases without their knowledge. To do this, they need to check all credit reports so they can catch any foul play before it is too late. They should also be advised to check any Healthcare Savings Accounts they have as hackers can also withdraw money from these accounts.
They’ll want a record of the infringement, so they should be advised to file an identity theft report with the Federal Trade Commission so someone can check that their information is protected. Patients may also consult your medical records to ask about any unauthorized procedures.
As many have done before, some patients might also choose to get a lawyer and seek damages. To get the most qualified lawyer possible, many will take out a title loan, pay through a payment plan, or pay the lawyer once a settlement is reached. You do not want to be responsible for millions of dollars due to carelessness.
The possibility of a medical data breach is real, so it is essential that medical establishments stay secured and updated on current threats. Stay informed so patients and your practice can remain protected.