4.7M Calif. Medical Records Affected by Data Breaches Last Year

Last year, more than 4.7 million medical records were affected by data breaches in California, according to federal data, the Orange County Register reports.
That number is up significantly from 2014, when just 400,000 medical records were reported compromised (Leung, Orange County Register, 1/18).
Several large-scale health care industry data breaches occurred in California last year.
For example, Anthem officials in February 2015 said about 13.5 million Californians were involved in a data breach that affected 78.8 million of the insurer’s customers, former customers and employees across the U.S. (California Healthline, 11/3/15).
In July 2015, UCLA Health announced that it suffered a cyberattack that could have compromised the personal health records of up to 4.5 million people (California Healthline, 10/15/15).
The number of individual incidents has remained steady at about 30 to 40 per year across the state. However, health care organizations are not required to report breaches affecting fewer than 500 individuals, according to the Register.
In addition, experts say the number of security breaches of all types — including those involving medical records — is likely to increase in size and frequency in coming years, particularly as health care facilities transition to electronic health records and more people sign up for health coverage under the Affordable Care Act.

Medical Data Valuable to Hackers

Experts say that health data breaches generally attract less attention than breaches of financial information, but they can be more detrimental to those affected, according to the Register.
Terry Gold, a security analyst and program director of the Information Systems Security Association of Orange County, said, “For example, an employer learns of certain conditions, mental health history or illnesses. Will this affect their consideration for employment?”
Further, health records also can contain financial data, Social Security numbers and other information that “can be leveraged to validate an identity with another disconnected service (such as mortgage, bank, utilities, etc.) where new accounts can be opened and leaving the real person on the hook,” Gold said (Orange County Register, 1/18).