For a cybercriminal, medical records are everything from a single source. Selling a Social Security Number? Naturally. Credit Card Numbers: They’re good on the black market too. And for those criminals who love scams, there are phone numbers, email addresses, and birthdays.
And of course there is always blackmail, which has also happened to psychotherapy patients in Finland whose records were stolen in 2018 and 2019. These patients had attended a private psychotherapy clinic in Helsinki. Forbes reported that slightly less than 1% of the Finnish population received exposure threats in October this year unless they deposited into a cryptocurrency account.
When the clinic refused to bow to ransom demands, the hackers blackmailed customers. At least 300 customers who haven’t paid saw their private information and even meeting notes leaked online, according to ABC News.
In general, cyber criminals hacked into 27 healthcare providers or organizations in 2019. To give perspective and a human dimension to these numbers, 15 million stolen records were reported in 2018. Last year there were 41.4 million.
Could this happen here?
Despite legal protection measures, starting with the HIPAA (Health Insurance Portability and Accountability Act), according to experts, electronic data is susceptible to hackers. And psychotherapy records are especially sensitive – and vulnerable – as clients assume that all sessions are confidential and secure.
Medical Daily reached out to educational psychologist Roseann Capanna-Hodge, EdD, founder of the Global Institute for Children’s Mental Health in Ridgefield, Connecticut. She emailed us about what therapists can do to protect the privacy of their clients.
MD: What safeguards are in place to protect mental health records?
Dr. Campanna-Hodge: All therapists must consider HIPAA concerns, and all of their technologies must be HIPAA compliant. Therapists are ultimately responsible under the HIPAA Security Rule and the Privacy Rule for ensuring the confidentiality, integrity, and availability of electronically protected health information (ePHI) that their technology stores, transmits, and collects.
As therapists move into teletherapy, some of the more difficult information for therapists to protect can be IP addresses (the unique identifier for a patient’s internet connection). In this case, when choosing a teletherapy technology, therapists want to ensure that the provider has controls in place to protect this information.
The HIPAA privacy rule addresses the need to balance PHI sharing [protected health information] and ePHI to ensure the best possible care and protect patient privacy. The most important part of the privacy rule is giving patients control over how you use their information, who you share it with, and when you share it.
MD: Is paper still being used?
MD: Is this data breach [in Finland] likely to make mentally ill patients more cautious about seeing a therapist and how much they might reveal during sessions?
Dr. CH: In this world of more common data breaches, most people understand that this is part of the online world. With this in mind, patients should ask their providers how their data is protected so that they can feel better about their privacy. Fear of losing private information is often the reason many choose to leave their insurance network for services because their private information is inaccessible to their insurance company. Many fear that their mental health information will be used against them in the future if they need additional or new insurance.
Protection of digital records
“The industry has gotten a lot better at understanding the risks associated with storing information since EHRs [electronic health records] became mandatory, ”said Adam Jackson, founder and CEO of 360 Privacy, www.360Privacy.com, a digital privacy company in Franklin, Tenn.
“The system was not ready for the number of video health sessions required since the Covid pandemic began,” Jackson told Medical Daily. “There are two main weak points. The first is a bad actor intercepting the video feed and the other is the transcribed notes of the psychologist who is being compromised. “
To mitigate these risks, Mr. Jackson advised health professionals:
1. Use reputable IT providers with years of experience in their industry.
2. Use a commercial virtual private network (VPN).
3. Have third parties conduct regular audits of your system.
4. Have an in-house compliance team and conduct regular training.
Professional associations and licensing agencies take the same security precautions for electronic patient files as for patient files. The American Hospital Association (AHA) recognizes that all of a patient’s electronic records – doctor’s notes, lab results, and test results – are kept in an electronic bundle to provide the patient with the best possible care, but also to provide EHR or electronic health improve record targeting cyber criminals.
The security of electronic or paper documents cannot be 100% guaranteed. Unauthorized access to patient records has increased since the introduction of electronic patient records. Paper records can also be accessed when the criminal is identified. Despite the best efforts of everyone involved, there are data breaches and as systems improve, cybercriminals are already finding new ways to do it. The AHA recommends that healthcare facilities have security systems in place that are flexible and can be adjusted to block unauthorized access to patient records as new attacks are identified.
Yvonne Stolworthy MSN, RN graduated from Nursing School in 1984 and spent years in intensive care. She has been an educator in a variety of settings including clinical trials.