All healthcare data breaches are not equal.
They're all bad, and reaching epidemic levels. The security testing company Redspin, for one, found that Protected Health Information (PHI) breaches nearly doubled from 2010 to 2011. The Department of Health and Human Services has reported 525 breaches of 500 or more records, involving 21.4 individuals over the past three years, said Redspin president and CEO Daniel Berger.
But the raw numbers are only a piece of the story. Gienna Shaw, editor of FierceHealthIT, wrote in a post this week: "It's not the numbers that interest me most. It's the stories behind them," she wrote. "And there are so many stories ..."
One involved the Surgeons of Lake County, a small medical practice in Libertyville, Ill. Hackers broke into the system last summer, gained access to the names, addresses, Social Security numbers, credit card numbers and some medical information on more than 7,000 patients, then encrypted all the information and demanded a ransom.
Another involved medical students creating fake identities so they could post patient information on Facebook and other social media sites. A third involved malware infecting hospital equipment.
Shaw said the Veterans Administration reported "173 incidents of security breaches of medical devices from 2009-11 that disrupted glucose monitors, canceled patient appointments and shut down sleep labs."
She also cited a 2012 report from the Government Accounting Office that said wireless implanted medical devices such as defibrillators and insulin pumps for people with diabetes were vulnerable to hacking.
No hacker with a laptop so far has delivered a fatal shock to a pacemaker patient. But just the possibility is "some serious freak-out level information," Shaw wrote.
Why, when other industries -- particularly the financial sector -- have been able to curb the frequency of damage from data breaches, have things in the healthcare industry gotten worse? Bill Ho, president of Biscom, called it partly a Willie Sutton syndrome, named for the bank robber who said he chose that profession because, "that's where the money is."
"There is a lot of good information you can use [in health data]," Ho said. "[And] not just for money but for things like social engineering."
Redspin's Berger said records often include more than Social Security and credit card numbers. They also include, "personally sensitive information such as diagnoses, treatment plans, prescription information and complete medical histories," he said.
The advantage of electronic health records is clear, but carried risk. Adam Levin, founder of Credit.com and former director of the New Jersey Division of Consumer Affairs, wrote in a Huffington Post blog post: "To have current, accurate, and reliable data about a patient's medical history just a click away -- whether the issue is urgent or routine -- will save money, time, and, of greatest import, lives." But attacks to steal and sell personal health data or hold it for ransom are also "ultimately made possible by the digitization of medical records and the placement of those records on networks -- often unprotected ones," Levin wrote.
Sign up for CIO Asia eNewsletters.