Health data breaches sow confusion, frustration

As the privacy officer for The Advisory Board Co., Rebecca Fayed knows a thing or two about privacy and what can happen when it’s violated.But when Fayed received a letter telling her that she, like nearly 80 million others, was the victim of a hacking attack on health insurer Anthem Inc., she couldn’t figure out why. Anthem wasn’t her insurance provider.“I had no idea that Anthem even had my data,” Fayed told a gathering of privacy professionals recently at the National HIPAA Summit in Washington, D.C. “I went running around the house, ‘Why does Anthem have my data?’”

Fayed soon figured out the connection: Her previous insurer, a Blue Cross plan, was affiliated with Anthem in some way. Whoever hacked Anthem’s records accessed names, Social Security numbers, dates of births, addresses and more going back a decade.

Over 1,100 healthy data breaches, but few fines
Since October 2009, health care organizations and their business partners reported 1,142 large-scale data breaches, each affecting at least 500 people, to the U.S. Department of Health and Human Services. Of those, seven breaches have resulted in fines. Explore the app

(Graphic: Sisi Wei and Charles Ornstein, ProPublica)

Many of those caught up in the recent string of medical data breaches are experiencing similar confusion and concern as they receive notifications from insurers. They wonder what real-world repercussions the exposure of their health care information could bring.

The Anthem breach, announced in early February, affected some 78.8 million people. Premera, another insurer based in the Pacific Northwest, recently disclosed that hackers had accessed records of 11 million people. The plans are offering several kinds of support, including credit monitoring for two years, but consumers must take steps proactively to enroll in that service.

When retailers such as Target and Home Depot have suffered data breaches, they have exposed credit card numbers, which can be canceled, containing the damage. The hacking of health insurance data is more troublesome, revealing the keys to a person’s identity.

Julie Grimley, 46, a content editor for an educational software startup, initially assumed the Anthem breach wouldn’t affect her because her family had coverage through CareFirst BlueCross BlueShield. Then she got letters informing her that her data, along with that of her husband and 15-year-old daughter, might have been compromised.

“At this point, I’m not sure what the best thing” to do is, said Grimley of Gaithersburg, Md. “I really don’t.”

Grimley said she is most worried about her daughter. “She’s already starting the college process,” she said. “Her life is starting. This could be really serious. I should be worried about me too but we’re established. … I’ve read horror stories and think, ‘Oh my gosh.’”

Anthem spokesman Darrel Ng said the company finished mailing letters notifying those affected during the week of April 3. The process took two months because of the number of people affected and to not overwhelm its credit-monitoring vendor, AllClear. “Anthem initially started by sending out 1.5 million letters a day and eventually ramped up to about 2.5 million per day,” he wrote in an email.

Anthem said it has tried to reach people in other ways, including by email and through a website, AnthemFacts.com. Ng said he did not know how many people had signed up for the credit monitoring, but anyone can seek help in clearing up credit reports and contesting false charges for the next two years.

Premera also has set up a website with information, premeraupdate.com. It has notified 6 million members in Washington and Alaska affected by the breach and is working to notify members of other Blue Cross plans if they sought care in those states. As of April 1, more than 194,000 people had enrolled in credit monitoring, Premera spokeswoman Melanie Coon said by email.

The Department of Health and Human Services’ Office for Civil Rights, which oversees compliance with federal patient privacy law, is investigating the Anthem and Premera breaches. If the agency determines the insurers did not take adequate steps to protect members’ health information, it could impose steep fines.

Bethesda, Md., resident Eric Forseter and his family managed to fall victim to both the Anthem and the Premera hackings.

Forseter’s wife and son received letters dated March 4 from their health insurer Premera telling them that some of their information—but not their Social Security numbers–was compromised in the Anthem breach. Days later, they received additional letters saying they also were victims of Premera’s own breach, which affected not only Social Security numbers, but also medical claims information.

Help us investigate
What has been your experience with patient privacy? Do you think your medical information was shared by your doctor or health-care provider? Do you think it was involved in a breach? Tell us your story.

Forseter, 40, who works for an IT security and identity management company, said he doesn’t know how his family’s information got ensnared in the Anthem breach but suspects it may have happened because his son had to see a doctor while in New York. He’s gotten nowhere when he’s called the insurers’ customer- service line for answers.

“I don’t think they really know half the stuff that’s happening,” he said. “Unfortunately they’re reading a canned script and all they want to do is say, ‘Well, sorry.’”

Forseter said he is considering legal action against the insurers for failing to safeguard his family’s information. He called the offer of two years of credit monitoring inadequate.

“If data was stolen then sold and sold many times over, then potentially three to five to 10 years from now, that data could be used and I’d have to pay for my own coverage and I’m at risk,” he said. “I’m responsible for covering it.”

Ann Patterson, senior vice president and program director for the Medical Identity Fraud Alliance, an industry group, said consumers are right to be nervous. Medical identity theft poses a more serious risk than credit card fraud. “You really can’t change your birth date. So when that kind of information is out there, the type of fraud that is perpetrated in the health care sense involves your wellbeing, your life.”

If an imposter attempted to receive medical care using a patient’s name, she said, it could attach a false diagnosis to the patient’s medical records and delay care when the patient really needs it.

Patterson recommends that consumers take several steps if they have been affected. First, they should sign up for the free credit monitoring, which alerts people to possible suspicious activity if it happens. “If you became a victim, you would be notified as soon as possible,” she said, noting that it doesn’t prevent fraud. Beyond that, consumers should review all insurance forms, hospital bills and other medical correspondence they receive. If something doesn’t look right, don’t throw it out, Patterson said; make a phone call to clarify what has been sent.

“Some reason people think, ‘I was not the patient, so why should I call that hospital?’ Definitely call the provider and the health plan to make [sure] both parties know that you are not the patient. You should report it to your local law enforcement so you have a record that it was reported from a legal standpoint.”

For some victims, the Anthem and Premera breaches have been all too familiar.

Bill Speaks, 61, who works in mainframe software for the U.S. Department of Interior in Colorado, said he was also a victim of the Home Depot hacking attack last year, as well as one involving his bank, and he believes he was also a victim of the Target hack. Moreover, he said, his driver’s license was stolen when he had surgery at a hospital about three years ago. That may have resulted in someone opening up an account and running up charges in his name, he said.

Speaks said he’s fed up.

“No one is looking out for us and no one at the higher levels of these organizations are suffering any consequences because of their lax security,” he said.

Fayed’s company provides research, technology and consulting services to health care and higher education organizations, and she said the flow of personal information is essential to delivering medical treatment and to arranging payment. “We as individuals are never going to be able to know every single entity that has our data,” she said.

At the same time, Fayed said her personal experience with the Anthem breach allows her to see it from the other side. “It gives you a new perspective when you’re actually one of the folks whose data is disclosed. It’s a real-life perspective.”

For more on patient privacy, read how federal health officials rarely impose fines even as data breaches multiply and check out our interactive tool. Has your medical privacy been compromised? Help ProPublica investigate by sharing your story.
—
Ed’s Note: This story was provided by ProPublica, a nonprofit news organization.