Data breaches that expose your private health information can be particularly damaging. If someone steals your credit card information, you can always cancel the card and get a new one. You can’t do that with your medical history.
Your medical records also contain sensitive information about you. You may not want people to know about treatments you’ve received or conditions you have. That information could hurt your chances to get certain jobs or insurance.
Health information breaches can also expose other information useful for identity theft. Your medical records can contain your address, social security number and financial information.
According to the National Cyber Security Alliance, in 2016, there were 450 breaches that exposed the private health information of 27 million Americans.
A federal law commonly referred to as HIPAA protects your rights and sets rules for health care providers and insurers to follow in protecting your privacy.
What Is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act, signed into law in 1996. This law gives you the right to view and receive a copy of your personal healthcare information, but it also limits who else can see, collect or use your information.
The HIPAA privacy rule requires health insurers, most health care providers and organizations that process health information to protect the privacy of your health information. This includes any information that doctors, nurses or other people put in your medical records. It also includes any conversations or other communications they have about your condition or treatment.
Your personal and billing information stored by your health care provider or your health insurer is also protected. Hospitals, insurers, doctors and others may face fines if this information is disclosed or breached.
How Health Information Breaches Happen
HIPAA requires anyone who handles or stores your digital health information to protect it with passwords, encryption or other technology. But there are several ways a data breach of medical records can happen.
The all-time largest health information breach was the 2015 spear phishing attack on Anthem, a licensee of Blue Cross and Blue Shield. The attack exposed tens of millions of patients’ records and cost the insurance company more than $130 million in penalties and settlements.
Spear phishing, used in the Anthem cyberattack, involves sending emails that appear to be from a trusted sender — often someone in the same company. When an employee clicks on a link or attachment in the email, the scammers gain access to the company’s network.
But some breaches are less sophisticated.
In 2015, medical records company Filefax reported it had potentially exposed the personal health information of 2,150 people after medical records were left in an unlocked truck in its parking lot.
The University of Texas MD Anderson Cancer Center reported a breach after the theft of a center-owned laptop from an employee’s home and the loss of two thumb drives. The devices contained the personal information of more than 33,000 people.
Even Small Breaches Can Be Devastating
It doesn’t take a breach of thousands of patient records to be harmful. Sometimes a leak that affects just one or two people can have serious consequences.
This can happen when a doctor, nurse or other health care worker shares a patient’s medical information without their permission.
There have been cases where health workers posted patients’ lab results to social media. A New Jersey hospital worker was accused of leaking medical records of an 11-year-old’s suicide attempt to people at his school. As a result, the boy’s peers bullied him.
In 2013, a Florida nurse found records showing that a relative had secretly given birth and put a baby up for adoption. She shared the information with family members.
Leaking a single patient’s medical information can have serious consequences. The nurse in Florida was fired and forced to surrender her nursing license.
A medical group was sued when it took a patient to court over a $326 debt. In the public court filing, the company mentioned that the man had been diagnosed with HIV. The man was able to get the court record sealed and a jury awarded him $1.25 million.
Settlements and Judgments for Breaches
Most attention surrounding HIPAA privacy violations goes to large breaches that reveal a lot of people’s personal or medical information — and there have been quite a few of them. The U.S. Department of Health and Human Services has a long list on its website of agreements and penalties it has won and collected from major health care providers, going all the way back to 2008.
The largest was a $16 million penalty that insurer Anthem paid in October 2018. It was one of 11 settlements or judgments that HHS’s Office of Civil Rights collected from companies that breached HIPAA privacy that year.
|Company or Organization||Issues||Amount of Settlement or Judgment|
|Filefax, Inc.||Failing to secure patient health information||$100,000|
|Fresenius Medical Care North America||5 breaches reported in 6 months||$3,500,000|
|MD Anderson||Loss of a computer and thumb drives containing information on 33,500 people||$4,348,000|
|Boston Medical Center||Allowing ABC-TV crews to film a documentary without patient authorization||$100,000|
|Brigham and Women’s Hospital||Allowing ABC-TV crews to film a documentary without patient authorization||$384,000|
|Massachusetts General Hospital||Allowing ABC-TV crews to film a documentary without patient authorization||$515,000|
|Advanced Care Hospitalists||Failure to comply with multiple HIPAA requirements for more than 8 years||$500,000|
|Allergy Associates of Hartford||Doctor improperly revealed patient information during television news interview||$125,000|
|Anthem, Inc.||Cyberattack exposed personal information of 79 million people||$16,000,000|
|Pagosa Springs Medical Center||Former employee continued to have access to personal health information of 557 patients||$111,400|
|Cottage Health||Two breaches that exposed information of 62,500 people||$3,000,000|
In addition to the penalty Anthem paid to the federal government, it paid another $115 million to settle lawsuits filed by people who had their information exposed.
Protecting Your Health Information
HIPAA lets you send your health information to anyone you want. This can be helpful if you are sending it to a trusted family member or another health care provider.
However, you should be careful storing or sharing your health information on a mobile app, on your computer or with other people. Once you share it, your health care provider is no longer responsible for its security.
- Never post any medical information online unless you want the whole world to know
- Use passwords or encryption to protect health information on your computer or in emails
- Beware of free medical services or other attempts to pry private medical information from you
- Shred insurance forms, prescriptions and physician documents to prevent medical identity theft
HIPAA only requires that health care workers, institutions and health insurance-related industries protect your medical privacy. If you share your health information with anyone else, they may not be covered by the law. They could share your information without fearing penalties or prosecution.
Beware of Sharing on Health Care Apps
There aren’t a lot of federal regulations on what an app maker can do with your health information once you upload it. In many cases, it may be legal for the app maker to sell, re-purpose or share your information with others.
What to Do If Your Health Information Is Breached
If you think your health information has been compromised, you should contact your insurance company or health care provider. You can also file a complaint with the Office for Civil Rights in the U.S. Health and Human Services Department, or by contacting the Attorney General’s Office in your state.
If the company or person responsible for exposing or sharing your health information is not covered by HIPAA, you may be able to file a complaint with the Federal Trade Commission.
You may also be able to file a health information breach lawsuit. Patients can’t sue directly for HIPAA violations. But you may be able to sue under other laws for the damage that a breach causes you. Talking with a lawyer who specializes in privacy issues could help you decide if you have a case.
22 Cited Research Articles
- Alvarez, B., McGlaughlin, C., and Wirth, A. (2017, November 9). Health Information Privacy – Why Should We Care? National Cyber Security Alliance. Retrieved from https://staysafeonline.org/blog/health-information-privacy-care/
- Becker’s Healthcare. (2019, January 19). Healthcare Breaches Cost $6.2B Annually. Retrieved from https://www.beckershospitalreview.com/healthcare-information-technology/healthcare-breaches-cost-6-2b-annually.html
- Chard Snyder Benefit Solutions. (2018, November 27). What Is Considered a HIPAA Breach? Retrieved from https://www.chard-snyder.com/employers-and-advisors/compliance-watch/what-is-considered-a-hipaa-breach
- Davis, J. (2018, December 19). The 10 Biggest U.S. Healthcare Data Breaches of 2018. Health IT Security. Retrieved from https://healthitsecurity.com/news/the-10-biggest-u.s.-healthcare-data-breaches-of-2018
- Donovan, F. (2018, August 27). Oklahoma Hospital Sued for Alleged HIPAA Violation Over Drowning. Health IT Security. Retrieved from https://healthitsecurity.com/news/oklahoma-hospital-sued-for-alleged-hipaa-violation-over-drowning
- Experian. (2010, April). The Potential Damages and Consequences of Medical Identity Theft and Healthcare Data Breaches. Retrieved from https://www.experian.com/assets/data-breach/white-papers/consequences-medical-id-theft-healthcare.pdf
- Fliszar, G.M. (2014, June 1). New Risks Following a Health Care Data Breach – It’s Not Just the OCR Anymore. American Bar Association. Retrieved from https://www.americanbar.org/groups/health_law/publications/aba_health_esource/2013-14/june/new_risks/
- HIPAA Journal. (2017, November 7). Can a Patient Sue for a HIPAA Violation? Retrieved from https://www.hipaajournal.com/sue-for-hipaa-violation/
- HIPAA Journal. (2019, April 26). The Most Common HIPAA Violations You Should Be Aware Of. Retrieved from https://www.hipaajournal.com/common-hipaa-violations/
- NBC News. (2017, June 23). Anthem to Pay Record $115M to Settle Lawsuits Over Data Breach. Reuters. Retrieved from https://www.nbcnews.com/news/us-news/anthem-pay-record-115m-settle-lawsuits-over-data-breach-n776246
- Ornstein, C. (2015, December 10). Small Violations of Medical Privacy Can Hurt Patients and Erode Trust. NPR. Retrieved from https://www.npr.org/sections/health-shots/2015/12/10/459091273/small-violations-of-medical-privacy-can-hurt-patients-and-corrode-trust
- Ravindranath, M. (2019, July 15). Some Providers Fear “Brave New World” of Freed Patient Health Data. Politico. Retrieved from https://www.politico.com/story/2019/07/15/patient-health-data-regulations-1573633
- Stein, L. (2013, June 29). Medical Records Breach at Tampa General, USF Exposes Woman’s Secrets. Tampa Bay Times. Retrieved from https://www.tampabay.com/news/health/medical-records-breach-at-tampa-general-usf-exposes-womans-secrets/2129083/
- U.S. Department of Health and Human Services. (2017, September 5). What You Can Do to Protect Your Health Information. HealthIT.gov. Retrieved from https://www.healthit.gov/topic/privacy-security/what-you-can-do-protect-your-health-information
- U.S. Department of Health and Human Services. (2018, October 15). Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History. Retrieved from https://www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html
- U.S. Department of Health and Human Services. (n.d.). Breach Notification Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- U.S. Department of Health and Human Services. (n.d.). Filing a Complaint. Retrieved from https://www.hhs.gov/hipaa/filing-a-complaint/index.html
- U.S. Department of Health and Human Services. (n.d.). HIPAA for Individuals. Retrieved from https://www.hhs.gov/hipaa/for-individuals/index.html
- U.S. Department of Health and Human Services. (n.d.). How to File a Health Information Privacy or Security Complaint. Retrieved from https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html
- U.S. Department of Health and Human Services. (n.d.). Resolution Agreements. Retrieved from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- U.S. Department of Health and Human Services. (n.d.). Your Health Information, Your Rights. HealthIT.gov. Retrieved from https://www.healthit.gov/sites/default/files/YourHealthInformationYourRights_Infographic-Web.pdf
- U.S. Department of Health and Human Services. (n.d.). Your Rights Under HIPAA. Retrieved from https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html