Discover Why Tracking Culprits in Health Data Breaches Is Tough

Thu, May 21, 2015 --

Reader Questions

Number of third party processors clouds the waters when hackers steal healthcare records.

When criminals get your credit card information by hacking someone you did business with, investigators can track the hacked company’s identity pretty quickly. That’s because a transaction with, for example, Home Depot, usually involves just a few parties — you, the store, and the credit card company.

Discover Why Tracking Culprits in Health Data Breaches Is Tough

Image Source: shutterstock

Count Business Associates Who Touch Healthcare Records

But when hackers target healthcare records, it’s a lot harder to figure out the source of the breach. That’s because of the multitude of business associates (BAs), which are the third party companies ranging from medical billing services to claims scrubbing houses that process information in health records. Make sure your policies and procedures impose strict standards on your business associate subcontractors. You will want them to fully understand their obligations as BAs.

Is Your Stolen Data in the Internet’s Darkest Corners?

If your business associates have lax practices, your information could end up in the dark and less accessible places of the Internet where criminals and fraudsters gather to sell stolen information. In these places, credit cards, Social Security numbers, and identifiers like a mother’s maiden name are prime commodities.

A Case in Point — Who Breached Tenet’s Data?

Recently, someone posted a large text file to one of these criminal sites. The file had the name “Tenet Health Hilton Medical Center” and contained names, addresses, Social Security numbers, and other information from dozens of physicians located across the country. Tenet Health said the individual did not steal the data from its databases, but rather from a third party service provider called InCompass Healthcare, which had left exposed and insecure a computer server containing the information of 10,000 patients and 40 employee physicians from 29 facilities throughout the US.

However, according to an InCompass spokesman, the only information on that server was physician names, provider numbers, Social Security numbers, and facility names. That particular information was also not being used maliciously, at least to the spokesman’s knowledge.

Know the Company Your BAs Keep

So although Tenet’s data was leaked through InCompass, it wasn’t through InCompass’s server. Further investigation revealed that the responsible party was an InCompass business associate, PST Services, a McKesson subsidiary that does medical billing. PST Services apparently left the information of the 10,000 patients open to Google searches for more than four months.

Unraveling the Tangled Web Isn’t Easy

Clearly, health record breaches can be difficult to backtrack to determine responsibility. And electronic health records are hot targets for criminals because they contain information letting fraudsters open new lines of credit or file fake Internal Revenue Service tax refund requests. As of March 2015, more than 41 million people had had their protected health information (PHI) breached, according to information obtained from the Department of Health and Human Services’ HIPAA breach page.

Does Keeping Your Data Encrypted Ensure Compliance?

Is it enough to just purchase and use an encryption product that the vendor certifies as HIPAA compliant? Just buying — and using — HIPAA compliant encryption software isn’t enough. You still need to create a risk assessment based on the following for your organization:

  • Size, complexity, and capabilities
  • Technical infrastructure, hardware, and software security capabilities
  • Likelihood of PHI risks.

Then, balance these issues against the cost of implementing and using encryption software. Write policies and procedures indicating how you’ll handle these risks. And then be sure you follow through on your policies and procedures.


Susan taught health information and healthcare documentation at the community college level for more than 20 years. She has a special love for medical language and terminology. She is passionate about ensuring accurate patient healthcare documentation through education. She has a master's degree in healthcare administration, is a certified healthcare documentation specialist, and serves as immediate past president for the Association for Healthcare Documentation Integrity (AHDI).

Leave a Reply