Major breaches of medical privacy happened more often in Missouri than in any other state its size over the last two years.
▪ An unauthorized website with notes about patients’ cases was created by a Children’s Mercy Hospital physician.
▪ An electronic medical records company’s database was hacked, leaving patients of a now-closed vein clinic in Liberty vulnerable.
▪ A phishing email tricked Washington University School of Medicine employees into giving hackers access to 80,000 patients’ records, including some Social Security numbers.
Those are just three of more than a dozen incidents in Missouri that the federal government is investigating for violations of the Health Insurance Portability and Accountability Act, or HIPAA.
Only the big states of California, Florida, New York and Texas have more open investigations.
The lapses potentially exposed sensitive medical information, left patients at risk for identity theft and could lead to hefty fines from the U.S. Department of Health and Human Services Office of Civil Rights.
That’s in addition to the costs of notifying affected patients, hiring cyber-security firms to figure out what went wrong and re-training employees.
“A breach incident is incredibly expensive for health care providers, especially in the larger scale breaches,” said Julie Roth, an attorney with Lathrop Gage who is an expert in HIPAA law.
Roth said those costs are frequently passed on to future patients.
Health care providers must report any medical privacy breach that involves at least 500 patients to the federal government.
An online database maintained by the Office of Civil Rights showed that as of this week, the feds were investigating 15 breaches reported in Missouri in the last two years.
That tied Missouri with Michigan for fifth-most investigations nationwide. Kansas has only two: a Feb. 3 report of the theft of a desktop computer from a family medicine practice in Wichita that affected 6,800 patients and an Aug. 16 report of a hacking of the Salina Family Healthcare Center that affected more than 77,000.
Roth said that may be because Missouri has some urban areas with large medical providers while Kansas has a lot of providers that are very small.
“So if they have an incident it may not be reaching that 500 mark that ends up on that database,” Roth said.
Most of the potential breaches in Missouri didn’t affect hospitals. They hit smaller clinics like The Vein Doctor in Liberty and the Burrell Behavioral Health Clinic in Springfield. About 3,000 patients at The Vein Doctor were affected when the company’s electronic medical records vendor, Bizmatics, was the victim of a malware attack.
Roth said the HIPAA law allows the federal government to shift liability and penalties to third-party vendors in such cases.
The hacking of a Burrell employee’s email resulted in 7,748 patients’ records being compromised, including more than 5,000 patients under the care of the Missouri Department of Mental Health, which contracts with Burrell.
There was also a hacking incident reported by Blue Cross and Blue Shield of Kansas City May 5 that affected 725 of the company’s customers.
Of the 15 breach investigations in Missouri, four involved hospitals: one reported March 9 by St. Louis Children’s Hospital that affected 643 patients, one reported March 1 by the St. Louis Veterans Affairs health system that affected 724 patients, the large breach at Washington University that was reported March 25 and the one at Children’s Mercy that was reported May 19.
The Children’s Mercy incident involved 5,511 patients. A statement released by the hospital said that the physician who made the unauthorized website thought the patient information on it was inaccessible to anyone unless they had a password, but “unfortunately the website’s security controls did not meet the hospital’s standards and the information could have been accessed by unauthorized third parties.”
“Promptly following discovery, the website was taken down,” the statement said.
Children’s Mercy said it was not aware of any misuse of the information on the site, which included names, medical record numbers, gender, birth dates, heights, weights, dates of service and brief notes.
David Dillon, vice president of the Missouri Hospital Association, said his organization provides guidance into the legal aspects of HIPAA but most members are keenly aware of the need to keep private information private.
“Hospitals take this issue very seriously because there’s so much at stake,” Dillon said.
But the hospitals and clinics are facing new challenges. Archives of federal HIPAA violation investigations prior to 2011 show that most were related to the theft of physical property like laptop computers that had information on them.
Now, with more medical providers moving to electronic medical records that are often stored online, most of the breaches come from people breaking through medical providers’ cyber-security measures, sometimes by fooling employees with phishing emails.
Hospitals with troves of sensitive data have become targets for sophisticated hackers like the ones that crippled the National Health System in England in May by holding their patient records hostage and demanding ransom money.
That’s one way hackers make a buck. Roth said another way is by targeting hospital billing systems — not for medical data, but for personal information they can peddle to identity thieves on the “dark web.”
It’s a problem that’s growing nationwide. A task force established by Congress released a report in May that said “health care cybersecurity is a key public health concern that needs immediate and aggressive attention.”
The stakes are growing, Roth said, because the scope of the breaches are too.
“The cloud and just the fact that now we have so much data on servers, that has really changed the game,” Roth said. “Because now, health care providers, if there’s a breach, we’re not talking about dozens or a few hundred, we’re talking about thousands, tens of thousands if not millions of records potentially being accessed in a single incident.
“So, it has really upped the importance of health care systems to be looking at what security measures they have in place and then training employees.”