In the News

What to Do if Your Healthcare Data is Breached


November 2, 2022

As the conveniences of electronic health records and data storage increase, so does the risk for personal information to be compromised and potentially used for nefarious means. According to the HIPAA Journal, between 2009 and 2021, “4,419 healthcare data breaches of 500 or more records” have occurred, “resulting in the loss, theft, exposure, or impermissible disclosure of 314,063,186 healthcare records.” This massive number is the equivalent of 95% of the 2021 United States population.

To find out what to do if your health data security has been breached, Patient Power asked attorney Douglas McNamara, a partner at Cohen Milstein Sellers & Toll, a firm specializing in Cybersecurity and Data Breaches. He shared some key information and useful tips to consider.

What are the Possible Consequences of a Healthcare Data Breach?

“Data breaches can put you at risk for identity theft – where criminals use your information to open up loans in your name, apply for unemployment benefits, or file tax returns seeking your refund,” said McNamara.

In addition to financial losses, the very personal nature of the data disclosed in a healthcare breach can leave a patient at risk for extortion, insurance fraud, or even loss of access to important personal health information.

What Questions Should I Ask My Healthcare Provider?

According to McNamara, you should ask for a copy of any records that they think have been exposed. That way you can see exactly what sensitive information may now be in the wrong hands. For example, if your maiden name or child’s name is disclosed and you use either of these as part of any password information, then you have a better idea of what needs to be changed.

You should also ask if the data was encrypted or if they are offering any credit monitoring. If they are, take it but don’t give up any rights. You should not have to release your rights to potential compensation if it turns out the healthcare provider was negligent or knew of the security incident earlier than they notified you,” McNamara said.

What is the First Thing I Should Do?

First and foremost, review all your financial accounts ASAP. There is a good chance that a cybercriminal will have access to your social security number and date of birth and could use this information to open bank accounts or loans in your name. Placing a credit freeze on your accounts and setting up fraud alerts through the major credit reporting agencies (Equifax, Experian, and TransUnion) is also important, noted McNamara.

If you have a health savings account (HSA) or a flexible spending account (FSA), be sure to change the passwords and monitor those accounts closely as well.

Also be on the lookout for any letters from the US post office verifying a change of address. If someone tries to file a change of address with your name, the post office will send out a letter of validation to confirm it was really you that initiated it.

What Steps Can I Take to Protect Myself?

Data breaches are unfortunately going to happen as hackers become more and more sophisticated. One of the best ways to protect yourself and your data, says McNamara, is to not reuse passwords and make sure you change them often. You should also be careful about giving out your social security number for use as a patient identifying number and remember to shred any medical bills you receive before throwing them away.

“Be proactive,” says McNamara. “If you have credit monitoring services through your credit card or another service (Equifax for example), take advantage of it.” You can get a free copy of your credit report once a year from each of the 3 credit reporting bureaus.

More Resources

McNamara pointed out that the Federal Trade Commission (FTC) also offers a comprehensive checklist on their website that helps guide you on what to do if you’ve been the victim of a data breach.

Read What to Do if Your Healthcare Data is Breached