Q&A of the Day – HCA Hack - What You Can Do to Protect Medical Records
Each day I feature a listener question sent by one of these methods.
Email: brianmudd@iheartmedia.com
Social: @brianmuddradio
iHeartRadio: Use the Talkback feature – the microphone button on our station’s page in the iHeart app.
Today’s Entry: Brian- I’m concerned I’ve been compromised by the data breech at JFK. I’ve previously been an ID theft victim which took months to stop and it makes the news of this breech that much more concerning. What’s done is done and I’ll simply hope for the best but what I’d like to know is if there’s anything that we can be doing to protect our medical records (or are we simply at the mercy of a hospital to protect our data)?
Bottom Line: I’m sorry to hear about your previous issues in addition to your concerns about potentially having a new one due to the HCA data breech. You’ve asked a great question as medical service providers often do ask for more personal information than is necessary or that you’re required to provide to receive service. First let’s hit the reset button with what’s happened, who may be impacted and what we’ve learned about the data potentially compromised by the hack attack on HCA’s properties.
On July 5th DataBreaches.net first reported that HCA Healthcare had been hacked with patient information having been compromised in the attack. In the report they state that they had communication with the hacker and that the hacker had contacted HCA demanding a ransom for not releasing the data on the dark web on July 4th. According to the report, the hacker provided HCA with a July 10th deadline to meet the ransom (the amount/terms weren’t disclosed). Fast forward to Monday, the 10th, and sure enough HCA put out a press release notifying the public of a “Data Security Incident”. In the press release they state:
HCA Healthcare recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum. The list includes:
- Patient name, city, state, and zip code;
- Patient email, telephone number, date of birth, gender; and
- Patient service date, location and next appointment date.
They also noted that compromised information did not include:
- Clinical information, such as treatment, diagnosis, or condition;
- Payment information, such as credit card or account numbers;
- Sensitive information, such as passwords, driver’s license or social security numbers.
In the Palm Beaches, those who’ve been patients at either JFK Medical Center location or Palms West are likely to have had their information compromised. HCA has created a website for impacted patients to receive updates and are offering credit monitoring and identify theft protection services “where appropriate”. They’re specifically cautioning patients to be leery of identifying calls, emails and text messages.
Obviously, HCA didn’t pay the ransom, which is understandable, where I have added concerns and questions are in these areas:
- Why didn’t HCA come public prior to the 10th with the possibility of patient data being released?
- How far back does the compromised patient data go?
HCA evidently had knowledge of the data breech for six days prior to the data leak occurring. Taking a proactive approach would at least enabled patients to be on guard about this issue. Apparently, the hope was that the hacker was bluffing and as a result their disclosure was a reactionary one – but it didn’t have to be. And in the context of patient information, the original Atlantis-based JFK Medical Center has been there since 1966. There are many patients that haven’t been there in an awfully long time. How far back does the data go? That could also be helpful for those who’re wondering if they’re compromised. To date all we know is that HCA is estimating that 11 million patients have had their data compromised. With all of that said...about today’s question. What can you do to protect your data with medical service providers...?
There’s a reason why medical service providers have been one of the top targets for hackers in recent years. They tend to collect the maximum amount of identifiable information about people. Even more than the federal government. The key is in never giving any medical service provider unnecessary information about you. You’re there to receive medical care. Anything that doesn’t have to do with that care is no more their business than your mechanic’s. The top two asks of personal information by medical service providers that they have no right to and that lead to identity theft issues are Social Security numbers and Driver’s License/State ID numbers. Most medical service providers still ask for that information, and most patients still provide it. Don’t do it. It may be appropriate for a medical service provider to check an ID to verify your ID, but even then, they shouldn’t have a record of that number on file.
Starting in 2018, a Javelin Strategy & Research study showed more Social Security numbers were stolen than credit card numbers. That's because that’s where the gold is for the hackers. And when combined with the rest of your data it’s that much more valuable on the dark web. A 2020 study on healthcare data breaches revealed that 70% of them resulted in compromised Social Security numbers. HCA claims that’s not the case in this instance, and hopefully that’s true, but it’s a reminder that you should never provide that number to a medical service provider. You never know when a hack can occur that can create the kind of stress you’ve already experienced.