Your Medical Data Is At Risk From Hackers—And Incompetence

While two major hacks have exposed millions of individuals' health data, data exposure by loss or theft is far more common

Illustration: Diana Quach
Jul 28, 2016 at 5:00 AM ET

It’s a sad truth: Your private medical data, like practically all information, is vulnerable to hackers, and there’s little you can do about it.

That’s why laws demand accountability from those who handle your medical information, like hospitals and insurance companies. Since October 2009, if those kinds of institutions lose control of people’s health information, they must conduct an assessment and report it to the Department of Health and Human services, which maintains a public database of such disclosures when they affect at least 500 people. If an organization’s internal investigation finds that customers’ personal information is believed to have been compromised, they’re expected to notify potential victims within 90 days. And while yes, hacking instances are very real and very regular, they are far less frequent than incidents in which Americans’ medical information is exposed by petty theft of a laptop or external hard drive—or, as is often the case, pure stupidity on the part of someone with the data.

Many cases of improperly disclosed medical information are only noticed days later, when someone realizes they’ve been thrown away. Often, such information is stored on computers or external hard drives that were stolen or burglarized. In more than a third of HHS records—526 out of the 1,456 recorded times—it’s the result of piece of equipment simply going missing. Take, for example, the Titus Regional Medical Center in Mt. Pleasant, Texas. According to its report to HHS, an employee misplaced a computer that contained the files of 5,840 patients. And what exactly happened? The report’s authors weren’t exactly sure, but wrote that “It is thought that the laptop was left on the fender of the [employee’s] vehicle and fell off.” And though that computer was encrypted, that’s small comfort. First, because the report “could not confirm if the laptop was opened or closed when it dropped from the vehicle,” and second, because Titus “conducted an internal audit and determined that there was a glitch in the software parameter that permitted the download and storage of all 5,840 patients’ records on the laptops regardless.”

In February 2015, Planned Parenthood of Ohio left binders of dispensing and lab test logs in an unlocked closet. According to a report, “a custodian mistakenly put them in a trash dumpster. The following morning, the dumpster was emptied by the trash collector who took it to be buried with other garbage at a landfill that same day.” In April 2010, Blue Cross/Blue Shield of Rhode Island donated a filing cabinet to charity without first clearing out laptops that contained the names, social security numbers, and Medicare numbers of about 12,000 customers. In four different cases, someone mailed a large batch of postcards with personal information written on them, exposing the medical information to the mail carriers who delivered them.

Despite the prevalence of incidents in which information is lost by either device theft or simply misplacing records, more people’s medical records have been exposed by malicious hackers. That’s the case because of the sheer scale of three insurance company hacks in 2015: two of BlueCross BlueShield, which exposed around 21 million people, and that of Anthem, of 78.8 million people, in February. As is common practice for companies hit by hackers who get access to Social Security numbers, they offered potential victims a free year of credit monitoring. That may be small comfort, however, as identity theft scams are sharply on the rise, and are extremely difficult for victims to manage.