The theft of medical identity information is costing half of victims out-of-pocket costs of an average of $2,500.
The theft of medical identity information is costing half of victims out-of-pocket costs of an average of $2,500.

More than a quarter of U.S. consumers (26 percent) have had their health care data siphoned out of technology systems, according to a new survey from Accenture, an international professional services company.

And the consequence following the theft of medical identity information is costing half of those victims out-of-pocket costs of an average of $2,500.

The study, which queried 2,000 consumers in the U.S., found that these incursions occur most often in hospitals, with more than a third of respondents (36 percent) citing that's where the data was stolen from. The locations next at fault were: urgent care clinics (22 percent), pharmacies (22 percent), physician's offices (21 percent) and health insurers (21 percent).

Key actions to focus on:

Improve response capabilities – In conjunction with improving detection, handle breaches quickly and efficiently, in a way that limits damage.
             
Validate downtime procedures
– Strive to reduce recovery time to minimize impact on patient care and business operations.
             
Share threat information
– Act on learnings and share them with others. Communicate to consumers the actions you have taken.
             
Re-boot your approach
– Embrace an end-to-end cyber defense that recognizes a spectrum of threats, minimizes exposure, and identifies and protects high-priority assets.
             
Manage your risks
– Make targeted cybersecurity investments that will deliver measurable returns and help you build digital trust with health care consumers, who are increasingly security-aware.
 
– Source: Accenture

The study further revealed that half of those victimized by a breach detect the theft themselves, most often by noticing an anomaly on their credit card statement or an explanation of benefits. Only a third of those caught up in a breach were alerted by the targeted facility, and only 15 percent received a notice from a government agency.

“Health systems need to recognize that many patients will suffer personal financial loss from cyberattacks of their medical information,” said Reza Chapman, managing director of cybersecurity in Accenture's health practice. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.”

In response to the breach, nearly all (91 percent) of the consumers who were data-breach victims took some type of action. Some changed health care providers (cited by 25 percent), insurance plans (21 percent) or sought legal counsel (19 percent). Others took personal steps, such as changing login credentials (29 percent), subscribing to identity-protection services (24 percent) or adding security software to their computer (20 percent). Only 12 percent of data-breach victims reported the breach to the organization holding their data.

“Now is the time to strengthen cybersecurity capabilities, improve defenses, build resilience and better manage breaches so that consumers have confidence that their data is in trusted hands,” Chapman said. “When a breach occurs, health care organizations should be able to ask ‘How is our plan working' instead of ‘What's our plan?”

The most common source of health care breaches occur within medical institutions where security capabilities are nascent and a lot of valuable data exists. When asked why the health care sector is a primary target for cyber attackers, Brian Kralis, managing director of digital health at Accenture, told SC Media on Tuesday, "health care providers generally keep a lot of personally identifiable information – including credit card information, home addresses and medical histories – but haven't placed the same amount of effort (e.g., IT expenditure) into guarding this treasure trove of data, at least not compared to other industries."

Similar to the financial services or the retail industry, cybercriminals can sell personal data at a premium on the black market, Kralis explained. "While bank data becomes useless once the breach is discovered and passwords are changed, health care data can last a lifetime – making it more valuable to hackers."

In fact, he said, most often, stolen identities will be used to purchase items (cited by 37 percent of data-breached respondents) or used for fraudulent activities, such as billing for care (37 percent) or filling prescriptions (26 percent).

Nearly one-third of consumers had their Social Security number (31 percent), contact information (31 percent) or medical data (31 percent) compromised, Kralis pointed out. "Unlike credit-card identity theft, where the card provider generally has a legal responsibility for account holders' losses above $50, victims of medical identity theft often have no automatic right to recover their losses."

What can healthcare providers do better to defend against online attacks? Kralis  said that health systems need to recognize that many patients will suffer personal financial loss from cyberattacks of their medical information. "Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach."

These survey results were extrapolated from a larger study, conducted by Nielsen on behalf of Accenture between November 2016 and January 2017, that queried 7,580 consumers in seven countries.