The Day My Medical Data Was Hacked

Are data breaches becoming a new normal?

Posted Jul 31, 2019

Source: Shutterstock

No amount of advanced or technical knowledge quite prepares you. Waiting for me to return from vacation was notice of a serious medical data breach that personally affected me. It concerned the results of a routine health check my doctor had recommended for men my age.

“This letter is to provide you with information about a recent exposure of your personal information,” the notice from a company called Inform Diagnostics began, concerning “unauthorized access to an American Medical Collection Agency [AMCA] server containing the personal and payment information of a large number of individuals.”

According to Modern Healthcare, this was the second-worst breach in June and I was one of 173,617 people affected. Network servers had been targeted, granting access to first and last names and credit card information, but also (for unspecified numbers) dates of appointment, referring doctor, and laboratory name. “Not all of this information was exposed for all patients,” the letter hoped to assure, leaving an impression of scale as hazy as possible, and “no test results were disclosed for any affected patients. We have not received any information to suggest that patient information has been misused.” (A version of the notification is available here.)

When I called the given number to determine exactly how much of my data had been exposed, and what kind, a representative at the recently created “incident response line” said he could not confirm either way. “If you received a letter from AMCA, you have been exposed.”

Anyone wanting more precise information would need to put their request in writing. Calls would be impossible, he explained, because AMCA had just declared bankruptcy. “Soon after the notices went out,” he added after further questions, “they shut down and terminated most of their workforce.”

Modern Healthcare
Source: Modern Healthcare

In the wake of the recent Equifax data settlement and the Capital One data breach affecting 100 million credit card applications, Modern Healthcare reports that healthcare breaches in March alone exposed the data of 883,000 people. By May, reports Jessica Kim Cohen, that number had risen to 2 million. By June, it was 3.5 million.

Amid this troubling and clearly worsening problem, the New York Times reported on an outcome now widely accepted among data specialists in and beyond medicine: There’s no such thing as guaranteed privacy because there’s no such thing as “anonymized” data that can’t be pieced back together. “Your Data Were ‘Anonymized’?” the article's headline asks. “These scientists can still identify you.” Re-identification of the elements is now possible, and rapidly, to form a coherent, reliable picture. Computer scientists, the article made clear, “have developed an algorithm that can pick out almost any American in databases supposedly stripped of personal information.” Worse, they decided to make the algorithm freely available to all seeking it.

“Every Patient Deserves the Right Answer” happens to be the company motto of Inform Diagnostics, with a stated focus on accuracy and accountability that is commendable. “We provide our clients and patients with efficient, dependable, and high-quality service,” its website assures, “and call this commitment to service our Trusted Process. Inform Diagnostics is the most reliable anatomic pathology laboratory in the market … [offering] a support team you can trust, and technical expertise from highly trained laboratorians.”

The technicians I dealt with were indeed highly skilled and professional. Even so, in January 2019 the company itself agreed to pay the Department of Justice $63.5 million. It did so to settle kickback and false claims allegations brought by the federal agency via a whistleblower, including that it had provided “illegal inducements to referring physicians.” Prosecutors alleged that it had done so via “the implementation and use of electronic health record systems (EHRs)”—that is, the very servers that were breached in June by an unknown “intruder,” affecting 173,617 people, including me. The company settled the case but admitted no wrongdoing.

“Patients deserve the unfettered, independent judgment of their healthcare professionals,” U.S. Attorney Maria Chapa Lopez of the Middle District of Florida said in prepared remarks preceding the settlement. “Offering financial incentives to physicians and medical practices in exchange for referrals undermines citizens’ trust in our healthcare system.”

Indeed it does. As this is just the most recent in a string of devastating, far-reaching breaches involving millions of Americans’ health and financial data, it needs asking: Is this a new normal we will be asked to accept with ever-growing frequency?