Data breaches in the health care industry happen more often than you might think. The recent attack on Anthem exposed the personal information of about 80 million patients and is the largest data breach in the history of the industry. Financial institutions, retailers, and other organizations have all suffered major breaches, but the health care sector is an increasingly attractive target for hackers. The Office for Civil Rights at the Department of Health and Human Services provides detailed information on breaches in which the data of more than 500 patients was exposed. According to our analysis of this database, the number of such incidents has increased from 13 in 2008 to 256 in 2013. The total number of patients affected by such privacy breaches increased from about half a million people in 2008 to nearly nine million people in 2014. The following plot shows the data breaches in four types of health care entities. The size of the bubbles is proportionate to the total number of individuals affected by the data breaches.
Source: Office for Civil Rights at the Department of Health and Human Services
Although, it is neither economic nor technically possible to completely eliminate the risk of data breaches, the current market structure and regulatory framework in the health care sector differentiate it from other industries and make it especially prone to future hacking attacks. This is why we should expect larger and more frequent data breaches in the health care sector in the future.
Digital security is not a business priority for health care organizations
Protecting the customers’ privacy is amongst the most important activities of businesses in every industry, except the health care industry. Health care companies have less competition than other industries where consumers can choose between many different options and do business with an organization that values privacy protection. For most companies, spending on digital security is considered a strategic investment. It is a necessity without which many of the current businesses will immediately vanish. Imagine what would happen if the databases of a major online retailer, such as Amazon, were hacked. Customers would immediately react by avoiding Amazon and shopping from other online retailers. It is not hard to guess that after the recent data breaches at Home Depot, many customers preferred to swipe their credit card at other retailers such as Lowe’s rather than risking it at Home Depot. If such breaches happen too often and receive enough publicity, there is an increased probability that the targeted businesses will lose their customers and eventually go bankrupt. This creates a strong incentive for businesses to avoid data breaches through strengthening their defenses. To attract customers, businesses should first earn their trust.
Now consider the patients’ reaction to the Anthem hacking incident. They are outraged, but lack useful responses. They can’t change their health insurer and often must keep their health care provider. Most patients receive health insurance through work or the government. If they are covered under Medicare, Medicaid, or Military Health Insurances they do not have any choice other than remaining with the same insurer. Employers typically have long-term contracts with insurers to provide coverage for their employees and it is very difficult to terminate such contracts. Even if it was possible, despite their ethical obligations, the employers do not have a direct and immediate interest to do so. After all, the breaches are affecting their employees, not them.
Nonresident Senior Fellow - Governance Studies, Center for Technology Innovation
Ph.D. student - Vanderbilt University
Former Research Analyst - The Brookings Institution
Patients are unlikely to change their doctor if they are impacted by a data breach. Most people choose their health care provider based on proximity to their residence. There is a limited supply of such providers in a limited geographical area. In many instances, there is only one specialist, testing center or hospital within miles of a patient’s home. The scarcity of specialized medical services means most patients have no choice. Patients who overcome this barrier must still endure the emotional and medical costs of switching their provider with no guarantee that the new provider will better protect their privacy. The market for health care IT systems is dominated by only a few vendors and the chance that two providers employ IT systems with security features that are virtually the same is very high. It is also conceivable that both providers belong to a larger health care organization and use a single IT system, which suffers from the same security problems.
In a market where such major security breaches have little to no effect on the revenue stream of the organizations, there is no economic incentive to invest in digital security and prevent a data breach.
Current health care laws fail to provide adequate protection
The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, contains the most important set of laws that are specifically designed to protect patient privacy. Although HIPAA suggests a set of cautionary policies designed to protect patient privacy and prevent data breaches, there aren’t significant penalties for violating these policies. According to the latest revision of HIPAA, health care organizations that “knew, or by exercising reasonable diligence would have known” of the privacy violations but did not prevent them could potentially be fined a maximum of $1.5 million. To put this in perspective, note that the net income of Anthem in 12 months ending in December 31st, 2014 was $2.5 billion. If Anthem were proven guilty of willful neglect, which is very unlikely, it could lose 0.00058 percent of its net income. Anthem makes that much money in one hour and 15 minutes.
In case of such major data breaches, class action lawsuits may be possible under state law. But these lawsuits happen after the damage from a breach is done. Due to the unique features of personal health information, it is very difficult to measure the financial losses of the victims and fairly compensate them.
HIPAA does not provide sufficient privacy protections for patients. Laws and regulations should drive the health care sector to implement proactive security measures and privacy policies to prevent such risks from happening in the first place rather than designing contingency plans to deal with financial consequences after the fact.
Anthem itself provides the best support for these arguments. According to Wall Street Journal, “it doesn’t expect the incident to affect its 2015 financial outlook, primarily as a result of normal contingency planning and preparation.”
More TechTank post’s available here