On March 17, 2015, Premera Blue Cross (Premera) disclosed that cyberattackers had executed a sophisticated attack to gain unauthorized access to their Information Technology systems. According to Premera, the attack initially occurred on May 5, 2014, and compromised 11 million of their applicants’ and members’ personal information, such as dates of birth, email address, addresses, telephone numbers, Social Security numbers, member identification numbers and bank account information. Perhaps scariest of all, Premera disclosed that claims information, including clinical information, was also taken. With the onslaught of cyber-attacks which are taking place on a weekly basis, much of the focus has been on the nefarious ways that hackers can use stolen information to engage in any number of financial crimes, from credit card fraud to the draining of bank accounts. Indeed, in light of this most recent attack, Premera is offering affected persons two years of free credit monitoring and identity theft protection, a common practice among companies which have fallen victim to cyber-attacks. However, the significant damage that can be done by a hacker in possession of a person’s clinical health information can not be overlooked, and neither should the fact that such damage cannot be protected against with credit monitoring or identity-theft protection.
The unauthorized accessing of medical records is not a new phenomena. For example, in 2008, the UCLA Medical Center fired more than a dozen employees for improperly accessing Britney Spears’ medical records while she was in treatment at its psychiatric hospital. And a year prior, the medical records of Farrah Fawcett, who had been battling cancer, were also improperly accessed and sold to the Enquirer. However, what is new is the sheer scope of electronic medical records that are available for hackers to try to steal, and the scope of resulting damage which could result. It is not hard to imagine a scenario where hackers gain access to the medical records of a Fortune 500 company CEO who is battling a terminal illness which is not yet known to the public; or a politician who is battling depression and seeing a psychologist for treatment; or an individual seeking medical treatment for something that they would just as well not have their spouse or employer find out about. All of these scenarios offer a lucrative opportunity for blackmail or extortion, and once medical records are taken, the risk of their improper use will always exist. Bank account numbers, social security numbers and other financial information can be easily changed. Medical information cannot.
That being said, the only real way to protect fallout from the unlawful access to patient health information is to change the way such data is handled, and enhance protections in the way it is stored.