This story was originally published by ProPublica and co-published with NPR’s Shots blog.
It’s hard to keep track of even the biggest health data breaches, given how frequently they seem to be happening. Just last Tuesday, health insurer Premera Blue Cross disclosed that hackers broke into its system and may have accessed the financial and medical records of some 11 million people. The intrusion began last May but wasn’t discovered until January and wasn’t shared publicly until this week.
Among the information that may have been taken about the insurers’ members and applicants: names, dates of birth, email addresses, street addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, which may include sensitive medical details.
Premera’s announcement comes weeks after another health insurer, Anthem Inc., announced that it too had been hacked—and that the records of nearly 80 million people were exposed.
The task of investigating medical data breaches falls to the Office for Civil Rights, a small agency within the Department of Health and Human Services. Its staff of about 200 investigates thousands of complaints every year, large and small. Last month, ProPublica reported how, as the number of breaches has increased, the office infrequently uses its authority to fine organizations and health providers that fail to safeguard patient records.
The office’s director, Jocelyn Samuels, spoke on Monday to health privacy and security experts gathered in Washington, D.C., for the National HIPAA Summit, named for the Health Insurance Portability and Accountability Act. This 1996 federal law protects the privacy and security of patient records. Her speech preceded Premera’s public disclosure.
After her talk, Samuels sat down with ProPublica to talk about the current state of health privacy. The conversation has been edited for length and clarity.
Q. To start off with, the Anthem breach is still at the top of mind for so many people. Does this change the landscape in terms of health data breaches?
A. We won’t know until after we have investigated what the causes of the Anthem breach are or were, or whether there are concerns about HIPAA compliance. But I think that it illustrates both the increasing risks that exist in the cybersecurity space and the need for covered entities [health providers and others subject to HIPAA’s requirements] to continue to update and evaluate their risk analyses to ensure that their risk management plans adequately anticipate all of the kinds of threats they may face.
Q. I received a breach letter from Anthem [informing me that my data was accessed] and I heard from a lot of people who did. One of the things that they say is, ‘I don’t even know what to make of this. What of mine was taken? Will it be used against me?’ How do you advise them what to do?
A. We will be evaluating the kinds of information that was compromised and the source of the breach and the harm that accrued to the different individuals. Those are all question that I think will inform the work that we do in this space and we will have further answers as we learn more.
Q. Since HIPAA was passed in 1996, how would you say the state of play has changed with respect to patient privacy and the security of records?