Healthcare Data Breaches Down, But People Affected? Exploding!

It wouldn’t seem like it, reading the news, but believe it or not, the number of data breaches is down – from 16.5 per month to 14 – this year. But the number of people affected is greater.

And now, seemingly starting a new trend, the Utah Health Exchange, a state insurance exchange whose development started several years before healthcare reform made it law, has been the victim of a hacking.

Happily, the hack was a graffiti attack of the exchange’s portal for shopping for insurance, not its healthcare information. It was probably very annoying but did not result in the transmission of thousands of people’s personal health records. Words were “garbled, headlines blurred and some pages not accessible, and the site was down for about 10 days, a spokesperson for the Governor’s Office of Economic Development said.

Protected health information (PHI) is on a separate secure site and was not affected.

But the state does not get off scot-free. In March, the Department of Technology services, which maintains the breached site, was responsible for the comprehensive hacking of Medicaid data in March 2012. Almost 800,000 individuals had their health information was compromised, including up to 280,000 Social Security numbers.

On top of all that, the Utah Department of Health discovered that the information stayed in the state’s electronic system instead of being erased within a day, which is normal security protocol.

Utah is certainly not alone. In August, the Indianapolis-based Cancer Care Group announced data on 55,000 patients had been breached after a company laptop was stolen. And – a whole new twist – a small group of surgeons in Illinois was blackmailed by the hackers who got into their files, who made no secret of who they were, encrypted the data and then demanded money to get the password.