HHS calls for better cybersecurity as medical record breaches affect millions of patients

This week is Identity Theft Awareness Week.  That may make you think about stolen credit card information or fraudulent loans.  But it's now healthcare record breaches that are topping the charts.  

FOX 26 Houston is now on the FOX LOCAL app available through Apple TV, Amazon FireTV, Roku, Google Android TV, and Vizio! 

Why?  Experts say medical records are worth ten times as much as stolen credit card information on the black market.

Now the U.S. Department of Health and Human Services is calling for hospitals to have new cybersecurity requirements.

Imagine having your private medical records exposed.  It happened to Elina Shaffy.

"The whole thing has been very overwhelming, and it’s become very anxiety-producing, it’s very stressful," said Shaffy.   

Shaffy says she is one of 70 patients whose sensitive medical records and pictures from the Beverly Hills plastic surgery office of Dr. Gary Motykie was posted on a public website in 2023.  Dr. Motykie filed a report with the Los Angeles County Sheriff's Office that he received a demand for a $2.5 million dollar ransome for the records. The Sheriff's Office tells us it is still investigating the case.  

"It was very disturbing personally to see the content of this website. And, in addition to that, to seeing everyone else's information, everyone else's financials, their entire medical history," said Shaffy.

Data from the U.S. Department of Health and Human Services reveals that 540 healthcare organizations were breached nationwide last year, impacting 116 million patients.  

"They’re not getting more frequent, but the number of records they’re affecting are getting larger. One breach may affect more records, or more sensitive records than breaches in the past," explained researcher and privacy advocate Paul Bischoff of Comparitech.  

Bischoff says the most breached facilities are specialist clinics, which are often smaller offices that sometimes have less record security, followed by health insurance, hospitals, and networks. While electronic records are the most targeted, paper records can also be stolen or disposed of inappropriately.  

Monica Berlin worked as a surgical technologist before becoming a patient advocate.

"Yes, there are surgeons who do protect patient information. But there are so many who don’t, because things cost money, software costs money," Berlin said, based on what she says she observed working in different medical offices.  

When records are breached, the Identity Theft Resource Center says not only can thieves use your financial information to run up credit card and loan debt, your health insurance information can be used for medical procedures.  That can leave victims with both medical debts and inaccuracies on their health records, which can hinder or prevent them from getting needed care and prescriptions.

Eva Velasquez, CEO of the Identity Theft Resource Center, says thieves are also using patient diagnoses and images to extort money.  

DOWNLOAD THE FOX 26 HOUSTON APP BY CLICKING HERE

"That's being levered more in a ransome-ype of situation, extortion, where the patient is being contacted or the breach entity is being told, we will expose this information," Velasquez explained.

Patient advocates recommend taking steps to protect your records.

"You need to get copies of your medical record and your chart as you go through the process. Don’t wait till you're done," said Berllin.  

Having copies of your medical records can help you correct errors if they're used or altered by a bad actor.

And privacy experts say you should avoid giving out unnecessary information at the doctor's office.

"They don’t all need to have your social security number. They don’t need to have every piece of data about you. So ask questions. Why do you need this?," said Velasquez.  She says patients can ask to be given a different patient number for identification.  

The U.S. Department of Health and Human Services plans to propose new cybersecurity requirements and resources for hospitals through Medicare and Medicaid this spring.  

The American Hospital Association issued a statement, responding, "AHA supports voluntary consensus-based cybersecurity practices," and will "continue to work collaboratively with HHS and other federal partners to enhance cybersecurity efforts for the entire health care field."

Some patient advocates say more oversight is needed.  

"Maybe the Department of Justice or medical boards can actually go in and enforce these HIPAA-compliant regulations that exist," suggested Berlin.

Shaffy has filed a lawsuit against Dr. Motykie over the breach.  She says the experience has been devastating.

"It’s very expensive financially, it’s very expensive emotionally, spiritually.  You're supposed to go to a doctor to have them heal you," said Shaffy.

We reached out to Dr. Motykie, but have not heard back yet.  His attorneys wrote in a letter reporting the breach to the U.S. Department of Justice that they have secured credit monitoring services for the potentially impacted individuals.

Here are more steps identity theft experts recommend taking to protect yourself:

  • Keep your credit frozen at all three credit bureaus until you need it.     
  • Use different passwords and multifactor identification on all your digital accounts, including patient portals.
  • Read EOB's, the Explanation of Benefits that you received to spot any medical procedures that you didn't receive. 
  • Dispute any errors on your medical records in writing by certified mail. 
  • Keep your prescriptions and medical papers in a safe place, and shred them before you dispose of them.

Victims of any type of identity theft can reach out for help to the Identity Theft Resource Center, which just issued its annual report on identity theft, and the Federal Trade Commission. 

Sullivan's Smart SenseConsumerNews