WHEN PAULA KOTZEN learned at her doctor’s office that hackers had attacked medical records in Marin County, it was like déjà vu. “This would probably be the third kind of privacy breach I’ve experienced this year,” says the retired small business owner, who lives in Marin’s Santa Venetia neighborhood.
In prior incidents, Kotzen has received notices that her debit or credit card numbers were stolen by hackers. Strangers have used her credit card numbers to make purchases. But last summer’s attack — in which hackers froze and demanded ransom for the systems of a service provider of Marin General Hospital and other local medical offices — was the first she’d heard about the growing problem of medical record security breaches. It worries her.
“My medications are in there. My correspondence with physicians,” she says. “I certainly don’t want to get in a snafu with Medicare, which might take me a hundred years to unravel.”
It appears no patient records were stolen in the “ransomware” attack, although a small amount of data was lost when a backup system failed during the post-attack recovery process, affecting 6,000 patients, says Mark Zielazinski, head of information technology at Marin General. Officials hired a cybersecurity firm to help investigate the attack, pay the ransom and shore up security to make sure it doesn’t happen again.
In other attacks all over the United States, criminals are stealing health records to obtain prescriptions or treatment in victims’ names, sometimes resulting in unfamiliar bills landing in victims’ mailboxes. Consequences for those affected can range from an inconvenience to criminal charges — for example, people have been charged with drug crimes when others used their identity to obtain large amounts of prescription painkillers. Medical ID theft can even endanger someone’s life if it leads to the alteration of medical records: for instance, removing a penicillin allergy from the file.
Kotzen so far hasn’t encountered any major problems, although staff at her doctor’s office blamed confusion in the wake of the attack for some delayed and inaccurate test results. No identity thefts related to the breach have been reported, and the hospital didn’t advise patients to sign up for identity-monitoring services or take any other protective steps in response to the incident, Zielazinski says.
“We don’t feel it’s warranted for them to take additional steps to protect their identity, as you might do if you had a breach where data was actually stolen and removed from your organization,” he adds. He credits the lack of data theft to both encryption and good luck.
“The forensic team categorized the attackers as somewhat amateurish,” Zielazinski says. “They didn’t try to extract any data, which a professional criminal would have tried to do.”
Lindsay Bartsh of San Rafael wasn’t so lucky. A few years ago, her identity was stolen in an unrelated crime and used by criminals in multiple ways, including emergency room visits under her name. Bartsh found out when she received a $400 bill from a Berkeley ER she’d never visited and a $1,600 bill from Los Angeles. She was able to get rid of the charges, but she still doesn’t know if the criminals’ visits may have established medical files at those hospitals under her name. “What’s so frustrating about this is they would not tell me what the person was visiting the ER for, or if they did blood tests on this person,” Bartsh says.
One reason that medical records are increasingly being targeted is that retailers and banks have been shoring up security, making it harder for criminals to steal and use credit card numbers. Nowadays, if a thief tries to use your credit card number, your bank is likely to send you a real-time alert, nipping any damage in the bud. No such centralized tracking system exists for medical visits, meaning that you might not know until years later if someone has been receiving medical treatment under your name, says Ann Patterson, program director of the Medical Identity Fraud Alliance. At the same time, more medical records are moving online, providing hackers with a new treasure trove to target.
“Those kinds of things are converging to make a good environment for the bad guys,” Patterson says.
More than 100 million patient records were compromised by hackers in 2015, according to the National Department of Health and Human Services. Hackers plumb medical records for prescriptions and for personal data such as Social Security numbers and home addresses, often selling the information.
Patterson says there are a few things patients can do to prevent medical ID
theft, whether their providers have been breached or not:
•Read all mail from medical providers carefully. If it’s an explanation of benefits, ascertain whether you saw the doctors named on the dates stated. If it’s an envelope from an unfamiliar doctor’s office, don’t assume it’s junk mail — it could be a bill.
•Periodically check your medical records for accuracy. Changes in blood type, preexisting conditions or allergies could be red flags that someone else is using your medical identity.
•Protect medical documents as you do financial documents — shred before recycling.
•Beware of over-sharing, such as posting online about an upcoming surgery or a prescription or even entering personal information into health websites or apps.
This article originally appeared in Marin Magazine’s print edition with the headline: “For the Record”.