In recent times, one of the most common topics being reported in the US healthcare system is medical identity theft- how data breaches affect tens of thousands of sensitive patient records. This pattern has been repeating itself for quite some time. However, this time, it’s a bit different. In this case, the hospital took an astounding seven months to report the incident. On top of that, it exposed around 200,000 patients’ medical records. Let’s see what actually happened.
It was a Californian health system called PIH Health, located in Whittier. It identified that a phishing incident took place way back in June 2019. However, it reported the incident on 10th Jan, after seven months, to the HHS (Department of Health and Human Services). Pundits are still debating whether this delay was valid or not.
A reporting tool for HIPAA breaches confirmed that the incident actually affected around 200,000 individuals. Due to this number, it has earned the title of the biggest breach so far this year. HIPAA actually makes it mandatory that the organizations report any such incident which can affect PHI (protected health information) within 60 days.
While giving an official statement, PIH Health said that it learned an employee’s email account was targeted and the culprits gained unauthorized access. The healthcare provider, later on, took steps to mitigate the damages. Collaborating with experts, it also started an investigation into the matter.
After the investigation, the provider found out that the affected accounts were visited between 11-18 June. However, it was quite impossible for them to determine whether PHI, the patients, and any other parties were affected.
However, as per the rules, it was supposed to inform HHS within two months after the incident, but it did so even later on- the provider says that they wanted to ensure and examine whether the incident actually affected anyone. A HIPAA representative questions why the health system took so long to report this incident, saying that it was clearly a breach.
While this is just one story, there are hundreds of such incidents occurring on a regular basis- data breaches, medical identity theft, cyberattacks, and more. The criminals take the sensitive data of the patients and may either sell them or may use them, costing the patients thousands of dollars. Also, in the case of a single person committing medical identity theft, it can still be dangerous for the patient. For instance, the patient data may incorporate the preferences of the culprit when he/she uses the stolen identity. As a result, whenever the patient goes for treatment prior to the theft, he/she may get medication based on the culprit’s preferences. Even if it is fixed, it costs a lot of money, which is provided by the patients usually.
Several health systems, hospitals and other kinds of providers are struggling with data breaches, medical identity thefts, and similar issues, but not the ones who are using RightPatient. It is a biometric patient identification platform that seamlessly integrates with the EHRs used by hospitals. After the patient enrolls with their biometric data (fingerprints/irises) in the platform, it locks the medical records of the patients, preventing unauthorized access, and in turn, medical identity theft. The platform also enhances patient safety, as accurate patient identification is possible. After the patient gets his/her biometrics scanned, the system searches through the numerous records in the EHR system and identifies the correct one within seconds. Pioneering health systems like Terrebonne General Medical Center, Novant Health, Northwell Health, and many others are using RightPatient and are preventing medical identity theft, reducing losses, enhancing patient safety as well as improving the revenue cycle.