barnabas-medical-center.jpg
Saint Barnabas Medical Center is one of 17 medical facilities that has experienced a patient data breach since 2009.
(Star-Ledger File Photo)
About a month ago, Jersey City Medical Center patients were surprised to receive a letter informing them that the hospital had lost a compact disc loaded with unencrypted sensitive patient data.
The trove of information lost in the mail included Social Security numbers, payment information and admission dates for Medicaid patients. The data was out in the world for anyone to find.
This was not an isolated mishap.
An NJ Advance Media investigation into patient data breaches reveals a health care industry that has, time and time again, failed to protect the sensitive data despite advances in encryption, data integrity and security.
According to a database kept by the U.S. Department of Health and Human Services, the data of about 1 million patients at New Jersey medical facilities has been compromised since 2009:
- The total number of patients whose data was compromised in 2013 was 850,000 – the most ever since reporting was mandated in 2009.
- Since 2009, there have been 14 breaches of sensitive patient information in New Jersey involving 17 different facilities and have affected nearly a million patients.
- New Jersey's biggest breach happened in November at
- Even the state is not immune. The New Jersey Department of Human Services also
- The
- Smaller medical facilities have also been vulnerable to data breaches. In October, the office of Paul G. Klein, a podiatrist in Wayne, reported a stolen laptop that contained the information for 2,500 patients.
Jor Rodriguez was shocked in December when he received a letter from Blue Cross Blue Shield letting him know that his information was compromised by the stolen laptops.
"Even though you think it can't happen to you, it can," Rodriguez said.
Rebecca Ashton from Piscataway also received a letter from Blue Cross Blue Shield saying that her son's name was floating around thanks to the same data breach. Other than carefully monitoring their credit, she was at a loss on how protect her family.
"I mean, what can we do?" Ashton said. "We have to go to doctor, we have to have health insurance, so we're kind of at their mercy."
When Jersey City resident Damian Wieczorek received a letter in August saying his information was on a lost CD sent by Jersey City Medical Center, he was similarly taken aback.
"I work in the IT industry, and we'd never send an external hard drive with that kind of data unencrypted, " Wieczorek said. "I would get fired on the spot."
Click here to explore our health care data breach timeline.
Lax Oversight
Hospitals and other health care providers must follow rules laid out by the Health Insurance Portability and Accountability Act (HIPAA) when it comes to handing private medical information.
And as part of the 2009 stimulus bill, the HITECH Act propelled the healthcare industry's move from paper to electronic records. It also introduced new notification rules and expanded the government's enforcement of HIPAA violations.
That expansion included a 2012 pilot audit program performed by HHS Office of Civil Rights which looked at the patient privacy and security of 115 entities ranging in size and scope.
What they found was sobering.
Two thirds of health plan and care providers failed to conduct "complete and accurate" security risk assessments, which are required under HIPAA.
In addition, OCR found at least one security concern for 58 out of 59 health care providers audited.
Rachel Seeger, spokesperson for the OCR, said the audit raised awareness as to how difficult it is for the health care industry to fully protect patient data.
"I do think that the industry is working to become more [HIPAA] compliant," Seeger said. "But there is still a long way to go."
OCR is planning a new, larger wave of audits in 2014 which, unlike the previous one, will include business associates that work with healthcare providers.
But even the auditors are not always safe from breaches. To develop its 2012 audit program, OCR teamed up with KPMG, a New Jersey-based audit firm. Just two years earlier, according to the HHS breach database, a KPMG employee lost an unencrypted flash drive with a list of patients and information about their care at Newark Beth Israel and Saint Barnabas Center. Neither OCR nor KPMG would comment on the incident.
Still, there is another layer of accountability for providers. The same 2009 HITECH act set up a program called EHR, which gives incentive payments to hospitals and medical facilities to help make the switch from paper to electronic records.
In order to receive funding, health providers must perform security risk assessments and attest that they did – although they don't have to show documentation unless they're being audited or investigated.
When the EHR incentive program first started in 2009, Sharona Hoffman, a professor of Law and Bioethics at Case Western Reserve University School of Law expressed concerns about the lack of regulation in maintaining patient privacy.
Hoffman still believes that relying on providers to perform risk assessments may not be enough.
"Just because you're doing a risk assessment doesn't mean you're going to find the problem and you're gonna solve the problems that you find," she said.
For providers, there isn't a big chance of being audited by the government so it gives providers less of a push to solve those problems.
"The government has limited resources," Hoffman said. "They can't go and inspect every health care provider workplace and every computer to make sure that the privacy requirements are being carried out."
Encryption: The Gold Standard
When there are data breaches in the health care industry, it's usually not the work of some malicious hacker gaining access to patient information.
Most of the time, laptops, desktop computers and thumbdrives that happen to have electronic patient data are either lost by an employee or stolen.
However, in a lot of instances, the data in that lost or stolen device is not encrypted, meaning it can be easily accessed by anyone. In that case, facilities have to report the incident as a breach.
That's why OCR spokesperson Rachel Seeger calls encryption the "gold standard" of data security because makes the data completely unreadable to anyone not authorized to access it.
Encryption is not mandatory under HIPAA. However, if there's a breach and the data is encrypted, it is considered "safe" enough that health facilities don't have to report the incident to HHS.
Out of the 115 entities they audited, OCR found 56 examples of facilities with no encryption in place , including 39 health care providers and 14 health insurance plans.
Half of New Jersey breaches since 2009 involved unencrypted patient data.
"Everybody encrypts sensitive data," said Deven McGraw, Director of the Health Privacy Project at Center For Democracy and Technology. "Banks encrypt, credit cards encrypt... But for whatever reason, the healthcare industry has been very slow to install widespread encryption."
However, Lee Kim, director of privacy and security at Healthcare Information and Management Systems Society warns it's not completely fool-proof, especially if it's badly managed.
"If you have the key to decrypt the information in a place where someone can easily steal it or access it, then it's not a really safeguard," said Kim.
What New Jersey Is Doing
In New Jersey, it's extremely difficult for hospitals and medical facilities to guarantee that their patient data is 100 percent breach-proof.
"This is the number one thing that keeps us up at night," said Joe Carr, chief information officer at New Jersey Hospital Association. "Even when sometimes we've done [everything we can], we still don't get a good night's sleep."
Hospitals are often big healthcare networks with multiple clinics with staff and vendors working with thousands of patients every day. That's why, sometimes, vulnerabilities are missed.
"You do your very best to train and retrain your employees and physicians," said Carr said. "And all it takes one person to do something really stupid, and you get a black eye."
That's why organizations like NJHA have been helping hospitals figure out how to constantly update security tools and what are the best practices to keep their data safe. It's a constant topic of conversation, he said.
Atlantic Health System, which has locations in Morristown, Summit and Newton, was named "Most Wired" in 2013 by Hospitals & Networks magazine for the fourth year in a row. They have several data security tools in place including patient data encryption.
None of their hospitals have suffered an electronic data breach that have affected more than 500 people. Still, the health network's Chief Information Officer Linda Reed maintains a simple mantra:
"When you build a 10-foot wall, your nemesis will build an 11-foot ladder," she said.
For Reed, it's not enough to just have the latest anti-breach technology. Hospitals need to put as much importance in training staff and physicians on best safety practices for handling patient data-- especially since most breaches happen because of lost or stolen devices from employees.
What it then ultimately comes down to is how dedicated the facility is to ensuring patient privacy and how many resources are at their disposal.
"Technology has become the backbone of the health care," said Rachel Seeger, spokesperson for HHS's Office of Civil Rights. "[Facilities] have to take meaningful steps to protect their patients' information with as much care and diligence as they do their patient physical safety."