Skip to main content

(Un)Protected Health Information Held for Ransom

| 2 min read
Former Associate
  • Email
  • Linkedin

Recent experiences of major health care companies offer a reminder of the importance of data security and following a well-written policy for compliance with the HIPAA Privacy Rule.

Lithuanian police reported on Tuesday that a hacking group had illegally obtained and published over 25,000 private photos and personal data from a chain of European plastic surgery clinics. According to the report, hackers made the theft known and demanded a $385,000.00 ransom for the data.  When the demands for payment were refused, the information was published on the Internet.  The investigation is in its early stages and it is not clear how many individual patients are affected.

Although this breach involves a European provider, not covered by HIPAA, it highlights the value and vulnerability of healthcare data. In fact, there have been reports of similar breaches involving potentially millions of American patients.  Data security experts have estimated that nearly 1 million new malware threats are released every day, with ransomware being the most common type.

The HIPAA Privacy Rule (42 C.F.R. Part 164) requires covered entities to implement administrative, physical, and technical safeguards to guard against the breach of protected health information. Covered entities are also required to review and modify security standards as needed to continue provision of reasonable and appropriate protection of electronic protected health information.

Given the black market value of health records and increasing hacker sophistication, impenetrable security may be impossible.  Nonetheless, strong data security and institutional compliance with a well-written, up-to-date HIPAA policy provide much needed protection.  Ensuring compliance with HIPAA rules may potentially shield against the sort of multi-million dollar fines and settlements seen earlier this year, including, for example $5.5 million paid by a health care provider who the Department of Health and Human Services claimed did not have adequate policies for terminating users’ access to health records.  Such high profile data breaches and associated costs provide a cautionary tale for health care entities and providers who may have allowed their data security to grow stale.