The bad news is that you have gout. The worse news is that someone hacked into your general physician’s computer network, grabbed your personal and financial data, and just charged $5,000 in electronics to your credit card. The Home Depot, Target and Goodwill Industries are just a few of the names that come to mind when you think “data breach.” But a growing area of concern is healthcare, where patient data – including payment information, social security numbers and more – has become as valuable, if not more valuable, than the hacked information garnered from retail store systems.
That’s because fraudsters can go a step further with healthcare data than merely charging a boatload of electronics. They can become you – that’s right, identity theft, a term even more frightening than credit card fraud. And the numbers are staggering. Check out the Identity Theft Resource Center’s (ITRC) breakdown of U.S. data breaches by category as of September 16, 2014:
- Medical/Healthcare
- : # of Breaches: 233. # of Records: 7,020,797
Business
- : # of Breaches: 191. # of Records: 7,504,312
Government/Military
- : # of Breaches: 59. # of Records: 2,729,181
Educational
- : # of Breaches: 40. # of Records: 1,562,823
Banking/Credit/Financial
- : # of Breaches: 23. # of Records: 172,230
Medical/Healthcare leads the pack in the number of data breaches, where Business leads in the number of stolen records. However, a “data breach” that a medical provider is required to report can include an incident when an employee loses a laptop with patient data, or some patient records are tossed in a dumpster, making identity or payment data theft unlikely. However, a 2013 report from Javelin Strategy & Research found that about 25% of people that received data breach notices of any kind (not just healthcare) eventually became victims of identity theft.
Either way, it’s unnerving to think that healthcare systems are so vulnerable. Unlike retail, where the fraudsters generally go after the POS system, in healthcare there is a staggering amount of unauthorized access from all points in the system.
We just returned from the Healthcare Billing & Management Conference where securing patient information was a huge topic. Bluefin is working with several large healthcare providers on implementation of our PCI-validated point-to-point encryption (P2PE) solution for the encryption of credit and debit card data at the point of entry. However, in this new world of data breaches where everything from payment data to patient social security numbers to addresses and phone numbers stored in your local DMV database has value to a hacker – a big consideration will be increasing cybersecurity at every point in the system and network. We feel encryption will go a long way in terms of protecting all data.