What’s The Worst That Can Happen?

by ID Experts

Medical Identity Theft

I was talking to a news reporter a few days ago about the risks of a breach of patient medical records and she asked:

“What’s the worst thing that can happen???”

My response was to tell her about the potential for medical identity theft and medical fraud.

A few days have gone by and I have read several news articles and reports that prompted me to reflect on the answer I gave. Some of these articles covered topics such as:

“Health-care Sector Vulnerable to Hackers”

“Zero Day Exploits in Cyberspace”

“2,644 Breach Incidents in 2012 Exposing 267 million records”

So let’s let our imaginations run wild for a few moments… Can you think of possible scenarios that would answer this reporter’s question? Please send me scenarios you think could make the “worst case” list. You can reach me .

Let’s take this one for example. A server at a major New York City hospital, that stored the hospital’s database of over 845,000 patient records, could no longer be accessed due to the mechanical failure of the hard drives. The IT manager followed procedures to restore the database from the hospital’s magnetic backup tapes, but the backup tapes were blank.

The permanent loss of the database records would put the hospital in clear violation of HIPAA data retention and availability requirements. To restore the server, the IT manager contracted with a local third-party data recovery service provider. With no documented policy or procedure for assessing the capabilities and security compliance of such service providers, the IT support manager selected the company based on its 48-hour turnaround time, and shipped it the damaged hard drives without vetting the company’s data security protocols.

The data recovery was a complete success. Within two days, the recovered data was returned to the IT support manager who uploaded the full database of patient records onto the hospital’s new server and the tape backup system was fully functional again. The IT manager made a note in his files to use the local data recovery service provider again, thinking all had gone quite well.

But all was not well. Several months after the recovery, the hospital discovered that a breach of protected health information (PHI) had occurred during the recovery process. While creating an image of all the data on the drives, the data recovery engineer discovered the database of PHI records, including financial and health care account information. He made a second copy of the database for himself, found the records of a female patient with a description closely matching that of his ailing wife, and altered them to fit his wife’s description perfectly, removing reference to the female’s blood type and life-threatening allergy to insulin. His wife used the fraudulent identity to receive surgical treatments for cancerous tumors in her lungs. The engineer used the credit card data found in other records to pay for the surgery, pharmaceuticals and rehabilitation.

Several of the hospital’s patients then began reporting unauthorized purchases on their credit cards. The cause of the security breach was not discovered until the woman whose record was altered received emergency surgery after a car crash. Unconscious when she arrived at the hospital, she died from anaphylactic shock during a simple surgical procedure—an allergic reaction to the insulin she was administered during the operation.

The husband was convinced that his wife’s allergy to insulin was well documented in her health record. After investigating the woman’s health records more closely, it was discovered that her PHI recently had been altered and the changes were traced back to the NYC hospital’s database. The hospital’s forensic team was called in, and the breach was traced to an unscrupulous third-party data recovery service provider and its data recovery engineer, who, it was then revealed, had not been subjected to a background check upon hiring. The data recovery engineer had a criminal history of identity theft.

Reports of the breach, the altered medical records, and the woman’s death were picked up by the media. The hospital posted a public notice of the PHI breach and notification letters were sent to all impacted patients outlining the details of the breach, the PHI disclosed, and who had handled their data. Two years of credit monitoring and fraud resolution services, along with credit and identity theft restoration if needed, were offered by the hospital to all affected individuals. However, the larger threat to the consumer was the misuse of the PHI, which went unmonitored. The hospital’s name and image were damaged severely.

An internal study was conducted at the hospital and new protocols were adopted to mitigate the risk of using third-party data recovery vendors. The hospital’s risk management process was updated and the hospital’s CISO and the IT support manager were fired.

I would like to have you send me scenarios you think could make the “worst case” list. I will include them in my next blog and share them with the experts participating at the PHI Protection Forum on March 12th and 13th in Boston. I will share the top 5 submissions and give people recognition at the event and on our Linkedin Groups and blogs.


Written by Rick Kam, CIPP, founder and president of ID Experts.

ID Experts is the leading provider of comprehensive data breach solutions that deliver the most positive outcomes. Founded in 2003, ID Experts has managed hundreds of data breach incidents for leading healthcare organizations, corporations, financial institutions, universities, and government agencies across the United States. As a result, millions of Americans are protected by ID Experts against the threat of identity crime.