Indiana Medicaid data breach may affect an “undisclosed” number of patients

Medicaid was started in the U.S to help families and individuals who struggle to pay for medical care. The social healthcare program is run by the government and provides financially limited people with free health insurance.

As we know, organisations like this are just as vulnerable as others to data breaches, data leaks, and cyber hacks.

In this instance, patient data was reportedly accidentally made live through a hyperlink (internet web link). The hyperlink was publicly accessible, meaning anyone who clicked on it could see the medical information contained on it.

The leaked data included:

Extent of the breach

Administrators of the organisation looked into the incident and confirmed that no financial data, patient address or social security details were compromised. They also believe that no information was stolen; but this may do very little to reassure patients. Public access to the information listed above can have some very concerning consequences.

Procedure codes can allow the public to see what medical treatment patients have had. Whilst this may not sound like valuable information, an affected patient could (subjectively) take a very different view. As the service is provided for people with limited resources, they may not always appreciate this information being made public.

The organisation and its associated bodies have said they have “no reason to believe this information has been or will be used inappropriately.” If only the world worked that way…

Medical data breaches continue to rise

In recent years, medical and health data breaches have continued to take the top spot as the sector with the most breaches. Whilst is can be understood that a large number of these breaches may have been caused by administrative errors, cyber criminals are also increasingly targeting hospitals and other healthcare institutions.

Medical records can be very valuable on the so-called “dark web” where information can be exploited in several ways. Information could be sold to fraudsters for identity theft purposes, or fraudsters could specifically target victims and pose as legitimate companies.

With medical records, some patients have an understandable desire to keep their medical ailments confidential. Cyber criminals can target these patients or the data holders and blackmail them by extorting money with the threat of sending private and sensitive information to others unless they pay the demand. This is often known as “ransomware”.

Patients notified

Patients have been notified of the breach and the potential risk they may be at as a result of the publicised information. DXC technology, who are entrusted with the organisation’s IT services, made a statement in response to the incident:

“While DXC Technology has no reason to believe this information has been or will be used inappropriately, DXC has taken steps to offer one year of credit-protection service to impacted individuals at no cost.”

A notification email and an offer of free cyber security protection for a year may not be enough to cover the risks the patients have potentially been subjected to. Data protection victims can have a right to seek financial compensation to help deal with the consequences of a data breach. Whilst no amount of money may “undo” the breach and make it like it never happened,  it can go a long way in recognising the harm the patient has suffered psychologically and cover any financial losses incurred.

Gloucester City Council fined £100,000 for “allowing” Heartbleed cyber-attack

2017: The year of the healthcare data breaches!