Written by Duncan West
Community Health Systems, an operator of 206 hospitals in 29 states - including Washington, had 4.5 million patient identity records stolen by an organized team of hackers. Read one of the many accounts of the hack.here.
This was an electronic Protected Health Information (ePHI) breach, even though no clinical data was lost. What the hackers took were patient names, addresses, birthdates, telephone numbers and Social Security numbers – enough information to steal the patient identity. The fact that a healthcare provider has a record of a person is an indication they provided care, making the loss of demographic and social security information a protected breach and subject to penalties up to $1.5 million in addition to the cost of offering credit protection to the 4.5 million affected individuals. There is an emerging threat of civil suits for data breaches, which may be tested in this case.
Community Health Systems owns or operates Deaconess and Valley Hospitals in Spokane, and Yakima Regional Medical Center and Toppenish Community Hospital in the Yakima Valley.
Speculation about motives for the hack included accessing intellectual property about medical devices being tested. What the hackers ended up with was enough demographic information to steal the identities of 4.5 million people. That is valuable and would have been even more so had there been credit card information, which there was not.
In a companion article about why a hospital system would be hacked, John Halamka, the CIO of Beth Israel Deaconess, states that the street value of a medical record with insurance information is roughly $50-$250. With that information someone without insurance of roughly the same age and build can present for care using one of the stolen identities.
Access to the community record from a Health Information Exchange could help share enough clinical background information that identity adoption would be more difficult. Clinical or other staff could review records which refer to the history of past care, past surgeries, medications and allergies to quiz the patient to determine if he or she is actually who they claimed to be.