fb-pixelHealth care lags on data security, some experts say - The Boston Globe Skip to main content

Health care lags on data security, some experts say

NEW YORK — Everyone worries about stolen credit cards or hacked bank accounts, but visiting the doctor may put you at greater risk: Medical forms are fertile ground for criminals looking to steal your identity, since health care businesses can lag far behind banks and credit card companies in protecting sensitive information.

Names, birth dates and, most importantly, Social Security numbers on health forms can help hackers open fake credit lines, file false tax returns, and create phony medical records.

‘‘It’s an entire profile of who you are,’’ said Cynthia Larose, head of the privacy and security practice at the Boston law firm Mintz Levin. ‘‘It essentially allows someone to become you.’’


Health care companies are, in some cases, required to collect Social Security numbers by government agencies.

They also use them because they are unique to an individual, said Dr. Ross Koppel, a University of Pennsylvania professor who researches health care information technology.

But once someone creates a stolen identity with a Social Security number, it can be hard to fix. A person can call a bank to shut down a stolen credit card, but it’s not as easy with stolen Social Security numbers.

‘‘You can’t just call the bank and say, ‘Give me all the money they stole from my identity.’ There’s no one to call,’’ said Avivah Litan, a cybersecurity analyst at the research firm Gartner.

So given that the data are so vital, health care companies take every precaution, right?

Not necessarily. The FBI warned health care companies a year ago that they were not doing enough to thwart cyberattacks, said Christopher Budd of the security software company Trend Micro.

Last year, more than 10 million people in the United States were affected by health care data breaches, including accidents, according to a government database — the worst year for health care hacking since 2011.


Litan estimates the health care industry is 10 years behind the financial services sector in protecting consumer information. Banks, for instance, are more likely to encrypt data. They also are more likely to use advanced statistical models and behavior analytics to spot when someone’s credit card use spikes — a sign of possible fraud. ‘‘There’s a need for that everywhere now,’’ she said.

Anthem, the second-largest US health insurer, said last week that hackers broke into a database storing information on 80 million people. It had ‘‘multiple layers of security,’’ said David Damato, managing director at FireEye, the company hired to investigate the breach. But the stolen data were not encrypted. An Anthem spokeswoman said encryption wouldn’t have helped, because the intruder used high-level security credentials to get into the system.

But several experts say that encryption does help. Encryption can be tuned so that even authorized users can view only one person’s account, or a portion of an account — making it harder for an outsider to view or copy a whole stockpile of records.