I had not been convinced about the dangers of one’s EHR getting stolen in a data breach — until now.
If a cyberthief robs you of your financial information, that clearly brings long-term risk of fraudulent charges to a credit card or identity theft.
But I was dubious about what illicit acts someone could take with stolen medical records. My most recent electronic entries mention that I had a physical in February and that my cholesterol lab work looked good. Who cares if someone comes into possession of that info?
Sure, a thief could aggregate electronic cholesterol test data, whittle it down to people who had bad cholesterol tests, and perhaps sell that list to some shadowy company marketing drugs to treat high cholesterol. But that act won’t bring a halt to your day that same way a stolen credit card number will.
I have also heard some observers argue that if crooks swipe your EHR, they could alter it. But short of the victim being someone famous or rich, few fraudsters will waste their time fiddling with Joe Q. Public’s records because there’s no gain to be had.
However, this week I read through the results of a healthcare data breach survey by Software Advice, a Gartner-owned company that reviews software applications in 250-plus industry categories, including electronic health record systems and features. Nestled among the results — which indicated, for example, that one out of five patients withholds personal health information from his or her physician due to data security fears — was a nugget of information that made me change my thinking of EHR theft.
In short, cybercriminals could use a medical record to fraudulently order prescriptions. Imagine if you found out while trying to refill a script that the pharmacy locked down your account because you had allegedly refilled the order already. Not only does a thief have a dose of your meds that could be sold on the street, but you’re also on ice trying to prove you need more of the drug.
I’m often the go-to person in my household for picking up prescriptions for my family. I have not shown my ID at a pharmacy in years, beyond having to verbally give an address. Anyone who performed little bit of research on my family, and had stolen medical information, could walk into our pharmacy and walk out with a prescription.
This risk isn’t even considering the added layers of security needed with electronic prescriptions.
After thinking about Software Advice’s comments, I believe the biggest widespread threat with medical information theft is indeed prescription fraud. This crime is easy to carry out, initially hard to detect, and potentially profitable. And for the victims, such an act would lead to plenty of headaches, calls to prescribing physicians, and arguments with the pharmacy.
As we here at SearchHealthIT prepare for next month’s HIMSS 2015 conference, I plan to keep my ears open about prescription theft and how e-prescribing fits into this picture.
I’m more worried about medical records theft today than I was last week.
Scott Wallask is news director at SearchHealthIT. Follow him on Twitter @Scott_HighTech.