It is negligence by employees of health-care providers—not attacks by external hackers and other thieves—that is responsible for most leaks of patient information, according to a new study. And that is another big reason you should be extra-careful about what information you share with hospitals, doctors’ offices and pharmacies.
The study analyzed nearly 1,150 large health-care-record breaches that occurred between 2009 and 2017 affecting a total of more than 164 million patients. Only 12% of the breaches stemmed from attacks by external hackers, compared with 53% caused by internal negligence. The remainder included the physical theft of medical files. The study, from Michigan State University and Johns Hopkins University, was published in JAMA Internal Medicine.
Internally caused data breaches included private files of patients being mailed or e-mailed to the wrong recipients…accessed from insecure computers or smartphones…stolen by employees…or otherwise mishandled.
Patient data breaches are especially dangerous for victims because someone with access to your information could receive medical care in your name, stick you with the bills and/or comingle your medical histories in potentially dangerous ways.
What to do: Resist giving your Social Security number to health-care providers—or provide only the last four digits. If a provider tries to insist, ask why the number is needed and ask about the provider’s history of hacks or leaks and security policies to help you decide whether to use this provider. Although a provider may be allowed to refuse you service, there’s no legitimate medical reason that the provider would demand your Social Security number—typically, it is only to make it easier to sic debt collectors on you if you don’t pay your bill. Most will back down if you refuse.
You typically will have to provide your date of birth, driver’s license (or other photo ID) and insurance information, but keeping your Social Security number secret should make you less vulnerable to identity theft.