Health Noir: $10 Million Ransom Demand for Data – and Stranger Crimes Are Coming

(originally written for The Huffington Post)

“Attention, Virginia!” the ransom note begins. “I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 😦 ”

“For $10 million, I will gladly send along the password. You have 7 days to decide.”

Someone says they’ve stolen 8.3 million patient records, and now the FBI is on the case. However strange this crime may sound, it was a predictable event. Stranger and more severe crimes are coming, if they’re not here already. I’ve been tracking health data breaches for a while, and it’s one of six scenarios I sketched out (but chose not to publish). It’s important now to ensure that these concerns are given a high enough priority – and proper funding – in future health IT initiatives.

Whatever your position on health reform, nobody wants health data to be the topic of the next private eye novel or film noir. Philip Marlowe wouldn’t be happy working at HHS.

Since they’re now playing out in public, I’ll briefly mention those other five scenarios. They are:

1. Individuals are blackmailed using information obtained from stolen medical records.
2. “Medical identity theft” – using stolen information to fraudulently obtain medical care
3. Stolen information is used to submit fraudulent bills to Medicare, Medicaid, and insurance
4. Electronic funds transfers are intercepted using stolen data
5. Medical data is used to obtain controlled substances and sell pharmaceuticals online

There are no doubt other ideas out there, and inventive minds will find them. Authorities say the Virginia hackers breached the system’s security, but it’s less clear whether they can do what they’ve threatened. Either way, the language in their ransom threat seems to fit the hacker profile of young American kids with time on their hands. We don’t know whether that’s real or a ruse, but it raises a couple of disturbing questions:

– What happens when organized crime gets into the stolen health data business?
– Who says they haven’t already?

Crime syndicates could become brokerages for acquiring and selling health information, which can be traded online.

It would be a mistake to use the threat of these crimes to oppose health IT initiatives, however. These crimes will continue, no matter what, because the exchange of data is embedded in every aspect of our insurance-based health system. Doing nothing will not protect us. It makes more sense to use this historical moment to take bold preventive steps.

If stolen health data fits the pattern of other cybercrimes, publicly reported breaches don’t reflect the full scope of the problem. So what should the Administration and private industry do next?

1. Acknowledge the problem. Don’t lose control of the debate by letting health reform opponents raise the topic first.
2. Provide funding for security software and solutions.
3. Clarify the security levels and procedures expected of all health IT users. (You’d be surprised how many of these breaches occurred because someone left a laptop in an airport or a computer disk on their front seat.)

What should private industry do? Those industries that will benefit from reform and IT initiatives could establish a reward – something like the “X Prize” – for innovative security solutions in healthcare.

Organized crime – or even disorganized crime – has no place in the world of healthcare.

Stop Thief!

A Harris Interactive poll suggests that public awareness of health privacy concerns is on the rise, according to a report in Modern Healthcare.  The poll is described as an “online interactive” survey, however, which raises concerns about sampling validity.  That caveat aside, it’s interesting to note that there appears to be increasing public awareness of health data theft and data security issues – which, as we have written here before, are rampant.  (We’ve been following health privacy concerns for some time now.)

The poll also suggests that data thefts could be undermining public support for Electronic Health Records (EHR), which is another reason to get this problem under control before it escalates any further.

The Modern Healthcare article also reports that Booz Allen Hamilton was awarded a $450,000 grant in order to

…do an “environmental scan” to get its arms around the problem, then convene a meeting to gather ideas on how medical identity theft should be addressed, and then to write up an action plan recommending ways to deal with the problem.

I would’ve liked to have that contract, and I could’ve done it for a lot less.  We haven’t begun to explore the full implications of rampant health data theft – and we shouldn’t, at least in a public forum.

Still, I suspect the real solution to this problem is going to come from an imaginative entrepreneur, not a Federally-funded study.

(via CHCF’s iHealthBeat; image courtesy Medical Informatics Insider)

What Celebrities Can Teach Us About Healthcare: George Clooney Edition

What do George Clooney, Newt Gingrich, and the Hungarian Communist Party have in common? They each have something to teach us about health care information, privacy, and public confidence.

As most Americans probably know, Clooney had a motorcycle accident a few weeks ago and was treated in a New Jersey hospital. 27 hospital workers – including doctors, nurses, and clerical staff – were later suspended for accessing his medical records. Apparently some of them peddled his medical information to the press, while others took a look just to satisfy their own curiosity. Most of them weren’t involved in his treatment, but they could still view his records anyway.

Clooney generously asked the hospital not to punish the medical workers, but that’s not the point. What Clooney’s experience teaches us is this: A lot of people have access to medical information. The more we use computers to collect and process this information, the more we are at risk for having our privacy invaded.

Those 27 hospital workers were just the tip of the iceberg. Once Clooney’s information left the hospital it went to a number of different organizations, which probably included:

• his insurance company’s bill processing operation (with some data processed offshore, where there have been serious security breaches and even data blackmailing);
• his insurance company’s utilization review company, which will determine whether the treatment was appropriate;
• the insurance company’s payment processing center; his insurance company’s pharmacy utilization review company, for any post-hospitalization prescriptions written;
• his insurance company’s data analysis group ….

Shall I go on? There’s more. A study I recall from the 1980’s said that an average of 25 people view each medical bill as it makes the transition from the treatment process to payment.

That’s where Newt Gingrich enters the picture. What he shares with all the Democratic Presidential contenders is his strong support for expanded health care informatics, including expanding the use electronic medical records. And they’re right. EMRs are an important tool, even under a single-payer system (although less so).

That’s why Americans want this digitization to continue – but are rightfully concerned about privacy. Privacy breaches of health care data are extremely common – even more than most people realize – affecting hundreds of thousands of people (more here).

It’s surprising that this hasn’t become more of a hot-button political issue. And the next wave of debate will appear when we start address the potential applications of personal genomic information. Esther Dyson discussed the issue of genomes and insurance, but we’ll also be confronted with other potential uses – and misuses – of this data. J. Craig Venter has written a book about his genome, but he doesn’t have to worry about losing out on a job because something in his data makes him look like a poor prospective employee.

That’s where MSZMP, the Hungarian Communist Party, comes in. I was part of a World Bank team that helped Hungary convert its health economy from a factory-based system to one based on public insurance (as in Western Europe, Great Britain, and Denmark). We addressed financing, administration, and IT architecture. But the public was resisting the process. They weren’t enrolling in the new program, they were reluctant to come to the insurance organization’s offices, and there was an simmering undertone of hostility to the program.

We discovered one reason why. The new program headquarters was in a skyscraper located next door to a squat, grim, semi-modern building that had once served as Communist Party headquarters. Built during the post-1956 era of repression, the building held an aura of totalitarianism that permeated the whole neighborhood. That created a backlash of fear and hostility toward the public insurance project.

There is a bright future for health informatics and health genomics, but people will need to trust the institutions that administer them to protect their privacy and use their data appropriately. This should be a national priority, before fear and suspicion replace hope and optimism.

And that’s what George Clooney can teach us about healthcare.

(There’s a different take on the same topic, called “Health Privacy Creates Policy and Technology Challenges,” on The Sentinel Effect.)

Health Privacy Creates Policy and Technology Challenges

Last summer the Wall Street Journal ran a piece about inaccurate data on medical records, which is a common problem. That led WSJ blogger Jacob Goldstein to observe that, when it comes to obtaining health coverage, medical records are the new “credit score.”

He’s absolutely right – although you can argue that, as reporters say, he “buried the lede.” Most people don’t even realize that insurance companies ever see their personal medical records. That’s a significant story. In fact, most people have no idea who sees their medical information or where it goes. I’m not aware of any comprehensive study on the collection and distribution of medical information.

I do recall seeing a research paper on insurance information in the 1980’s that said that the typical medical bill is handled by 25 different people before it is paid or denied. (No citation available, though I’ve tried to track it down – so consider it apocryphal if you must.)

Policy Need #1: Public awareness, debate, and accountability for the sharing of medical information in the claims administration process.

The digitization of medical information is the new “bipartisan” issue of the 21st Century, uniting politicians from Hillary Clinton and John Edwards to Newt Gingrich. And there are compelling reasons for it, whatever shape health care reform eventually takes. But there are risks.

There have been many security breaches of health data involving hundreds of thousands of patients and their medical records, as we’ve discussed before. (The total number of people involved in any type of data breach over a three-year period? 159 million.)

Technology Need #1: A health security coding system for providers and payers that really works. A number of people are working on it, and there’s a university study group tackling the issue, but nobody’s cracked the code yet in a way that these various markets can embrace.

Then there’s the growing area of health data mining. This can be a very good thing, encouraging both research and better services for individuals. Yet the political state of the art lags behind the technology, which keeps developing. Esther Dyson has an attractive solution: informed consent. Answer those online questionnaires and search for medical information all night if you like, she suggests, but insist that your digital content providers allow you to control what is and isn’t shared.

Policy Need #2: Extend informed consent to health technologies of the future, too, such as telemedicine. It’s an elegant, simple solution to a growing problem – a solution that arose in the private sector. But it doesn’t cover all possibilities. That’s why the American Medical Informatics Association offered some suggested guidelines for the secondary uses of medical data that includes public debate and consensus; a health data taxonomy; and a redirection of the debate away from the ownership of data and toward the the topics of access, use, and control.

We’ll have even bigger problems in the future, including the collection and use of genome data. Dyson understands the implications of genomic information on the insurance industry better than the Economist does, but neither addresses the possibility of genomic data being used for, say, pre-employment examinations.

Would Abraham Lincoln ever have become President if the country knew in advance that he had a tendency toward severe depression? And if he hadn’t been, would the country have been better off?

Technology Need #2: A genomic “reader” that is sophisticated enough to categorize an individual’s enhanced abilities as well as their vulnerability to disease.

Policy Need #3: A national debate on the proper uses of genomic data.

So, when do we begin the public discussion of health data and privacy? And who’s going to meet those tech challenges and reap the economic rewards that will follow?

(Image of secure public health data center licensed under Creative Commons from HMS, Inc.)

Privacy, Crime, and Disaster: The Achilles Heel of Health Reform?

Health IT is being treated as an integral aspect of reform across the political spectrum, from Bush and Gingrich on the right to Clinton and Edwards on the (relative) left. But the proliferation of confidential health information in digital form has already created the risk of a major privacy disaster, and large amounts of this data are lost with embarrassing frequency.

So, what is the Federal government doing to protect this information? Not enough, according to the Director and Assistant Director of the Health Privacy Project. They’ve resigned in protest from a government-funded IT working group.

The Health Privacy project is a subcommittee of the American Health Information Community (AHIC). AHIC was created by the Federal government “to advise the Department of Health and Human Services on market-driven ways to better use information technology to improve health care and cut costs,” writes eWeek magazine.

eWeek observes that “From the start, the subcommittee seemed an afterthought. Though AHIC held its first meeting in October 2005, the Confidentiality, Privacy, and Security Workgroup, or CPS, was only instituted in the latter half of 2006. ”

A GAO Report rapped HHS for failing develop a comprehensive policy for health privacy issues, while another GAO report found that Medicare patient data is at risk.

This frequent loss of data should be of concern to insurance companies that provide E&O, liability, and other related coverages. It’s only a matter of time before somebody’s personal data is revealed and a lawsuit results. And then there’s that disaster I alluded to earlier.

What do I mean by a “major privacy disaster”? As I’ve been reporting for some time (here, here, here, and here), losses of health data occur with alarming frequency. A major disaster could occur if this information got into underworld hands, where it could be used for crimes such as the following:

1. Identity theft
2. Use of false identities to obtain prescriptions that medical records indicate were written for a patient with that name
3. Blackmail of individual with compromising medical histories
4. A black market in false insurance cards and certifications of coverage
5. Cyberterrorism
6. Thousands (or hundreds of thousands) of personal medical records are posted on the Internet as an act of random vandalism

OK. I started this piece as a critique of government efforts so that I could offer recommendations to government and industry. Instead, I’m coming up with new and creative suggestions for evil criminals.

Believe me, if I can think of it so can somebody else.

So what’s to be done? Here are some suggestions:

1. Ramp up R&D in privacy technology for healthcare
2. Improve underwriting for E&O and liability insurance to address exposures for data loss or theft
3. Start a major government initiative in health privacy

If these things don’t happen soon, our country may look back with regret at a lost opportunity to mitigate risk … and prevent disaster.

Health Data Privacy: The Coming Disaster

I feel like one of those people who kept saying there was going to be a catastrophe in the Gulf when that Category 5 storm hits. I know I keep harping on the need for health data security (and therefore the opportunity), but here are two more pieces of relevant information.

The New York Times writes that a GAO study indicates “the Bush administration has no clear strategy to protect the privacy of patients as it promotes the use of electronic medical records throughout the nation’s health care system, federal investigators say in a new report.”

Meanwhile, hospital CIOs report (in an admittedly imperfect but interesting survey) that they expect to greatly increase spending on clinical systems – systems that will contain even more personal information than is currently in any large-scale database.

The Times elaborated:

In the report, the Government Accountability Office, an investigative arm of Congress, said the administration had a jumble of studies and vague policy statements but no overall strategy to ensure that privacy protections would be built into computer networks linking insurers, doctors, hospitals and other health care providers. (emphasis mine)

… In 2004, Mr. Bush declared that every American should have a “personal electronic medical record” within 10 years …

Is anybody listening? The personal electronic medical record is a good idea – but eminently hackable under current conditions. Even today’s medical records contain enough information to do serious damage, and I’ve reported on a staggering series of data losses.

This issue is both a policy concern and an entrepreneurial opportunity. Who will address it first – private-sector tech innovators, or policy makers?

Or will the problem just linger on, unaddressed, until one day Americans find themselves flooded with breaches of privacy regarding their health history?

Sorry to sound alarmist, but look at it this way: Do you wonder to spend your time wondering who will be the first to post your medical records online?

300,000 More Records Lost! When Organized Crime Gets Organized – Look Out

We learn today of yet another massive loss of health records. Backup tapes containing data on 300,000 health plan subscribers were stolen from an office of managed care negotiators Concentra Preferred Systems. The thieves were looking for more readily disposable loot, according to the Louisville Courier-Journal:

Thieves who stole the tapes also broke into five other businesses in the building, taking cash, pharmaceuticals, and other readily disposable items. Because of that, police have said they don’t believe the thieves were sophisticated criminals seeking the computer tapes. “We have absolutely no reason to believe that the information that was on the tapes, or the tapes themselves, were the intended target of the thieves,” (Wellpoint spokesman Jim) Kappel said.

Many of data losses happen the same way. Thieves steal other items and pick up something containing confidential data – a laptop, tapes, diskettes, etc. – along the way.

Unfortunately, there are smart people in the organized crime business. They don’t let opportunities pass by for long. One of these days word is going to get around that there’s a hot market for identity data, and that you can contact “X” if you pick up anything with computer records on it. “X” and his friends will take it from there, fencing the data to illicit techies who can decipher the data and sell it to the organized identity theft market.

While it’s an interesting mental exercise to apply entrepreneurial creativity to criminal enterprises, I’m not worried about giving the bad guys ideas. They’ll think of it themselves, just as they have with everything from movies to the constituent chemicals for methamphetamines.

Now it’s time for the good guys to start thinking – or, more specifically, those who want to “do well by doing good.”

Once Again, Health Records Lost

From the Baltimore Sun:

Up to 130,000 former and current patients at St. Mary’s Hospital in Leonardtown have recently been notified that a laptop with personal information was stolen from the hospital in December. Just last week, Johns Hopkins officials reported the loss of thousands of employee and patient records.

We keep reporting on this ongoing problem. There’s going to be an initiative to prevent this kind of catastrophic data loss, either through a private-sector product that protects health data or through government mandate.

Insurance companies that cover health organizations are at risk. So are the organizations themselves. And individuals are being exposed to a number of unpleasant possibilities, from identity theft to blackmail.

Who’s going to step up and address this issue?

Personal Information For 135,000 People Lost By Johns Hopkins

Tapes containing data on 135,000 people were lost by Johns Hopkins. Files were lost on 52,567 employees and 83,000 hospital patients. The records contained personal information (e.g. names, SSNs, medical record numbers), but no medical records. While Johns Hopkins believes the tapes were misplaced and then destroyed, this is the latest in a string of losses of personal information. Many of these losses were health and insurance related.

When will some enterprising IT organization step up and provide a common security platform for health IT data? We have PGP technology, after all. The first entrant could market hard, solicit support from state regulators and national-level players, and own the market while providing a needed services.

Here’s a partial list of health-related organizations that lost medically-related data (and it’s just for one year):

• Emory Healthcare
• Williamson Medical Center
• Marsh CS Stars (later recovered)
• California Department of Health Services
• Christus St. Joseph Hospital
• University of Florida Health Sciences Center
• Ohio State University Medical Center
• University of Tennessee Medical Center
• Keck School of Medicine at USC

It’s only a matter of time before some of this information is posted on the Internet or used in some other public way. Then all hell will break loose. Who’s going to provide the solution before that happens?

Medical Information on 25,000 People Stolen

Computerworld is reporting that “the theft of a computer from the office of an Ohio-based health care contractor on Nov. 23 has exposed sensitive data belonging to tens of thousands of patients in five health care firms across five states.” They add that “the compromised data includes the names, addresses, medical record numbers, diagnoses, treatment information and Social Security numbers of the patients.”

One under-recognized problem with our complex health care system is that information has to be shared by many parties. Here are a few of them: health care providers, insurance companies, bill processing vendors, data analysis/reporting services, utilization management companies, and specialty vendors (e.g. psychiatic care management services).

This creates a proliferation of personal data across a series of computer systems, amplifying the risk for theft or accidental loss of personal data. In many cases thieves are only interested in stealing the hardware, but wind up with personal information on their hands.

The Privacy Rights Clearinghouse tracks the loss of personal data, much of which involves health and insurance information. In one well-known case, a laptop belonging to Marsh CS Stars disappeared with information on over 200,000 insurance claimants . In another, a data entry person in India stole personal claims data and used it in an attempt to force her employer’s U.S. client to reimburse her money she felt she was owed. Hospitals and health care companies have also been affected.

Other incidents of health or insurance data breached involved the California Department of Health Services, Christus St. Joseph Hospital, University of Florida Health Sciences Center, Ohio State University Medical Center, University of Tennesee Medical Center, and Keck School of Medicine at USC.And that’s just for one year.

These incidents will continue. For legal reasons, players in the health & insurance arena will need to demonstrate that they made serious efforts (under the “prudent person” principle) to protect personal data. Insurers who provide E&O and other coverage may also want to review their underwriting practices, particularly regarding the storage of personal information on laptops that are more easily misplaced or stolen.

That’s a form of ‘insurance portability’ that nobody needs.