It would be a shame if consumers ever reached the point where news of a data breach did little more than raise eyebrows. But that’s the sad impact of having so many consumer records stolen by cybercriminals on a regular basis. Hopefully, news of this recent data breach will be more cause for alarm.
Investigators anticipate that more than 29,000 emergency room patient records were compromised in an apparent accidental data breach of Indiana University Health Arnett Hospital. The records, which were downloaded to a USB drive, contain names, addresses, personal information, and medical records for patients treated in the past year. It doesn’t appear as though Social Security numbers were impacted, but that remains to be seen given that many hospitals and medical offices still use SSNs as identification numbers and to run credit checks on patients.
According to Komando.com, the flash drive contained spreadsheets of the patient records, and the flash drive wasn’t encrypted or password protected. Another source also says that this information was limited to emergency room patients, and that the flash drive went missing from the emergency room’s office. Why the data was on a flash drive in the first place is also unknown, but the lack of security on it means that anyone with access to a computer can retrieve the information.
Unfortunately, the hospital had this to say: “Patient medical record information is kept on a secure server. This is not the standard method of storing patient data. Officials cannot be certain an incident will never occur, however, they are taking steps to minimize the chance of such an incident occurring in the future.” That means that the information should (in theory) have never been on the flash drive in the first place, especially if hospital policy is to keep that information on a secure server. It’s hard to believe the data appeared on a flash drive by mistake, and that it went missing for any reason other than a malicious one. At this time, however, the hospital has not received any complaints that patients’ information has been used without authorization.
So what are patients supposed to do? The hospital will be sending out letters to affected patients that explain exactly what information was compromised and what steps the hospital will be taking to protect patients. Anyone who receives such a letter should follow the instructions, and if credit monitoring is offered then those patients would be wise to take advantage of it.
This event should also serve as another eye-opening warning to patients who may not yet have been affected by a medical data breach—although, given the number of events per year and the enticing information that hacking a medical facility can produce for an identity thief, that number of people is shrinking every day. When you’re presented with a clipboard full of forms and a pen, ask yourself why the facility needs such detailed information, and then ask the employee what they plan to do with it. Inquire about the safety protocols of the facility, but also remember that those protocols are only as good as the employees who adhere to them. If you’re in doubt about the security of your information, remember that you’re not required to turn it over in order to receive emergency medical treatment.