The Collateral Damage of Electronic Health Records Breach

In the previous article in this series on the collateral damage resulting from a data breach, we looked at the potential damage that could occur if hackers were able to acquire just a single username and password for one person. Now, let’s take a look at the collateral damage of an Electronic Health Records Breach or EHR Breach.

At the end of 2014 the legislature mandated that all medical records be put into electronic format. The purpose of an EHR is to make the information necessary for your medical care easily accessible to those providing it. Consequently, most computer systems in the healthcare industry are designed around the principle of sharing data making them even more of an attractive target for hackers.

Electronic Health Records Breach - female doctor shows how electronic medical record work

Electronic Health Records Breach of Premera Blue Cross Blue Shield

The Premera BCBS breach in May of 2014 resulted in the Electronic Health Records Breach and theft of 11 million health records. The breach was not detected until 8 months later, and was only made public by Premera in March of 2015. During that time the attackers had complete access to sensitive information including individual names, dates of birth, email addresses, street address, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information. Here are just a few potential outcomes to which these people may be exposed to:

Costly and life-threatening miscommunication: What would happen if an individual came into an emergency room from an accident and, because his or her EHR was modified, given the wrong medication or an infusion of the wrong blood type? It would be an effective way to commit murder and get away with it.

Increased premiums, loss or denial of coverage: Unauthorized changes to an individual’s records could also result in misinterpretation of an individual’s true health condition and change the factors that dictate the cost of health or life insurance premiums. What would be your recourse in such a case?

Potential malpractice accusations and risk: Not only is a patient’s safety and privacy a concern when attackers strike, but the ripple effect on medical professionals who are treating patients with skewed records could also suffer. The high premiums of malpractice insurance is one of the driving forces of everyone’s healthcare costs.

Public embarrassment and loss of job: What if your prior treatment for mental health or another condition was publicly revealed? At the very least you could experience years of public embarrassment, and may even fear losing your job.

Targeted scam attacks: What would happen if your prescription details or ailment information was sold to scammers with offers of cheap medication or treatment? Acting upon such offers could result in severe health complications. Furthermore, what if you were not interested in such offers? if the scammers have your email address and doctor’s name it would be relatively easy to create a convincing email that installs malware on your computer. Then all the information on your computer would become available for the taking.

It is hard to wrap your head around the scope of an Electronic Health Records Breach / EHR data breach. When credit card information is compromised, the shelf life is pretty short, restitution is swift, and everyone moves on. But medical information is highly sensitive and its shelf-life is the lifetime of the individual. The collateral damage to an individual could extend much further than simply ruining his or her credit – it could even be deadly. How, then, will a mere two years of credit monitoring genuinely help?

In the next article, we’ll take a look at what could happen if your Personally Identifiable Information (PII) falls into the wrong hands. Stay tuned.

Contact ThreatModeler.com team if you would like to schedule a demo of ThreatModeler