A hacking incident (or rather, a five year long breach) at Community Health Systems, disclosed in August 2014, is supposed to have resulted in the leakage of 4.5 million health records. Why on earth, one might be excused for asking, would someone steal health records?
Let us first clarify the simpler matter that medical records are certainly worth protecting. They contain private information about an individual. Though most medical conditions say nothing about someone’s character or personality traits, there are still good reasons to want to keep one’s medical history private. One may not want the world to know that one suffers from irritable bowel syndrome, or that one has suffered a few miscarriages, or even that one has had LASIK done to cure one’s eyesight. You feel comfortable in telling all to your doctor because you are assured that that information will be held in confidence.
Most people feel slightly embarrassed about having to explain an ailment to their doctors. Imagine how much harder it would be for them if they knew that the doctor was going to put all that information in the public domain!
Other than privacy, is there any other reason to keep medical records secret? Other than gossip and ridicule, what else does one have to fear?
A lot, as it turns out.
The business of healthcare has become extremely complicated in the 20th and 21st centuries. We have transitioned from a close relationship with the town or village doctor to a network of clinics, hospitals, providers, specialists, laboratories, pharmacies, medical device manufacturers and vendors, insurance carriers, government subsidies, medical tourism destinations, and so on. It is all a rather dizzying array of complexity.
These entities exchange medical and payment information. Usually, but not always, the payment is released by an insurance carrier. In some cases, the payment might also be requested from an employer or the government. It is quite difficult to impersonate someone to their employer, but most dealings with the government or with a large insurance provider are faceless. All that matters in these interactions is whether one knows some important identifying numbers.
It is those numbers, and the history of one’s health conditions, which can enable hackers and thieves to fraudulently bill on your behalf. Let us say a hacker knows that you are suffering from mild hearing loss. The hacker might order a $20,000 hearing aid and bill your insurance carrier for it, and then sell it in the black market. He might even be willing to make the co-payment. Or, let’s assume a hacker figures out that you have Coronary Artery Disease (CAD), which might benefit from angioplasty. What is to stop a hacker from creating the records of an imaginary angioplasty at, say, an “out-of-network” clinic (perhaps in another country) and bill your insurance carrier for hundreds of thousands of dollars?
To be sure, most medical histories do not lend themselves easily to lucrative exploitation. Hence, it is very rare (unheard of, actually) that hackers will specifically target someone’s medical records. Usually hackers attack a whole system and steal thousands or millions of records. Then these are sold in bulk to specialized gangs which then sift through the information looking for opportunities.
“Ask for his ID!”
Shouldn’t it be required for the paying entities to authenticate the bill and the patient? Well, they do. But in today’s world, information is identify. If you know enough about someone, you can, for all intents and purposes, become that person. Their date of birth, their family history, their physical characteristics, even their biometric parameters (fingerprints, etc.) can be transmitted in such a way that there is no cause for suspicion that the transmitter is anyone other than who he says he is.
Banks and credit card companies have elaborate algorithms to detect when a transaction does not fit the pattern. Unfortunately, health providers and insurance companies have not yet invested in such technologies. And given the vast complexity of the human body, and the close relationship ill health has with suffering, it is doubtful if suspicion at a new symptom or a treatment is going to be welcomed by patients. Such algorithms (at banks) fail, for example, when somebody suddenly has to travel to a location far from one’s normal place of business.
Healthcare is already riddled with too much paperwork. And unlike financial transactions, health paperwork (e.g. diagnostic information) can be astoundingly varied and immune to simple algorithms. To automatically scan all this complex data to detect fraudulent activity is not a simple project.
Therefore, the need is to protect the data in the first place. If the data does not get into the wrong hands, hopefully we can prevent fraudulent billing. Also, unlike financial information such as credit card numbers, stolen medical records continue to remain valid. Its protection is therefore even more important.