The post appeared on June 26, 2014 in EMR & HIPAA
It’s one thing to have a laptop stolen with 8,000 patient records or for a disgruntled doctor to grab his patients’ records and start his own practice. It’s another when the Cosa Nostra steals that information, siphons money from the patient’s bank account and turns it into a patient trafficking crime ring. Welcome to organized crime in the age of big data.
Organized crime syndicates and gangs targeting medical practices and stealing patient information are on the rise. They’re grabbing patient names, addresses, insurance details, social security numbers, birth dates, etc., and using it to steal patients’ identities and their assets.
It’s not uncommon for the girlfriend of a gang member to infiltrate a medical practice or hospital, gain access to electronic health records, download patient information and hand it over to the offender who uses it to file false tax returns. In fact gang members often rent a hotel room and file the returns together, netting $40,000-$50,000 in one night!
Florida is hotbed for this activity and it’s spreading across the country. In California, narcotics investigators took down a methamphetamine ring and confiscated patient information on 4,500 patients. Investigators believe the stolen information was being used to obtain prescription drugs to make the illicit drug.
Value of patient records
Stolen patient information comes with a high price tag if the medical practice is fined by HIPAA. One lost or stolen patient record is estimated at $50, compared to the price of a credit card record which fetches a dollar. Patient records are highly lucrative. The below charts shows the value of patient information that might be sitting in an EHR system:
Amount of Patient Records |
Value of Patient Records |
1,000 |
$50,000 |
5,000 |
$250,000 |
10,000 |
$500,000 |
100,000 |
$5,000,000 |
Protect your practice
Medical practices need to realize they are vulnerable to patient record theft and should take steps to reduce their risk by implementing additional security. Here are seven steps that organizations can take to protect electronic patient information:
- Perform a security risk assessment – a security risk assessment is not only required for HIPAA Compliance and EHR Meaningful Use but it can identify security risks that may allow criminals to steal patient information.
- Screen job applicants – all job applicants should be properly screened prior to hiring and providing access to patient information. Look for criminal records, frequent job switches or anything else that might be a warning sign.
- Limit access to patient information – employees should have minimal access necessary to perform their jobs rather than full access to electronic health records.
- Audit access to patient information – every employee should use their own user ID and password; login information should not be shared. And access to patient information should be recorded, including who accessed, when, and which records they accessed.
- Review audit logs – organizations must keep an eye on audit logs. Criminal activity can be happening during a normal business day. Reviewing audit logs can uncover strange or unexpected activity. Let’s say an employee accesses, on average 10 patient records per day and on one particular day they retrieve 50 to 100 records. Or records are being accessed after business hours. Both activities could be a sign of criminal activity. The key is to review audit logs regularly and look for unusual access.
- Security training – all employees should receive security training on how to protect patient information, and make sure they know any patient information activity is being logged and reviewed. Knowing that employee actions are being observed should dissuade them from using patient information illegally.
- Limit the use of USB drives – in the past it would take a truck to steal 10,000 patient charts. Now they can easily be copied onto a small thumb/USB drive and slipped into a doctor’s lab coat. Organizations should limit the use of USB drives to prevent illegal activity.
The high resale value of patient information and the ability to use it to file false tax returns or acquire illegal prescriptions make it a prime target for criminals. Medical practices need to recognize the risk and put proper IT security measures in place to keep their patient information from “securing” hefty tax refunds
About Art Gross
Art Gross co-founded Entegration, Inc. in 2000 and serves as President and CEO. As Entegration’s medical clients adopted EHR technology Gross recognized the need to help them protect patient data and comply with complex HIPAA security regulations. Leveraging his experience supporting medical practices, in-depth knowledge of HIPAA compliance and security, and IT technology, Gross started his second company HIPAA Secure Now! to focus on the unique IT requirements of medical practices. Email Art at [email protected].
Leave a Reply