Healthcare organizations are being targeted at an alarming rate. Whether it’s an insider breach (an employee stealing information or an untrained staffer unintentionally mailing out sensitive data) or a hacker gaining unauthorized access, medical organizations are paying hefty penalties for these breaches. New York Presbyterian and Columbia University were recently fined a record $4.8 million for a HIPAA violation which exposed the records of 6800 patients. However, medical groups are not the only ones paying the price. Patients and employees are the owners of the very data that is stolen, and these people must deal with the overall headache and cost of resolving identity theft.
As patients, we have the right to question if our information is being protected. Each time we visit a doctor’s office, lab, or hospital, we should ask the staff how they are keeping our information secure. Ever curious why your full social security number, instead of just the last 4 digits, must be recorded in the clinic’s file? Does your doctor’s office control who can access your paper files, or is the file cabinet of medical records hanging open for anyone to rifle through? Do you wonder if patient information is ever emailed, unencrypted, to a staffer’s personal email address in the case that the employee just wants to get some work done at home?
We cannot simply read the news, cluck our tongues with disgust, and wag blaming fingers at the seemingly irresponsible medical organizations. We should do our part and ask our healthcare providers questions that will not only raise data protection awareness but will also challenge medical groups to improve their current information security practices.