Could hijackers hold your electronic medical records for ransom?

by Erica Cohen

With data breach issues plaguing even the largest of companies, individuals are understandably concerned that their personal information could be leaked to unauthorized users. Release of personal health information is especially concerning because of the information’s private nature. 

However, your medical records also face another kind of risk. Someone could “kidnap” them and hold them for ransom. That someone could make it so that no one, not even your doctor, can access crucial information like your lab results and exam history.

This is not fantasy. It is what happened to patients at Surgeons of Lake County medical facility in Libertyville, Illinois. Hackers delved into the deepest droves of the facility’s computer system and infiltrated the server where the facility stored emails and electronic health records (EHR). Then they added their own layer of encryption to lock the records up from view and demanded ransom in return for freeing them. 

This isn’t the first time EHRs have been hijacked and held for ransom. Another incident occurred in 2008 when extortionists contacted pharmacy benefits company Express Scripts demanding “millions of dollars” in exchange for the return of 75 electronic patient records. Just one month prior to that, the FBI arrested a man for allegedly stealing a computer server from Medical Excess, LLC, a subsidiary of AIG, and trying to extort $208,000 by threatening to release private health information on more than 900,000 patients.

Since the Department of Health and Human Services’ Office for Civil Rights began publicly disclosing large health data breaches two years ago, 21 million individuals have reportedly been affected by large health data breaches of one sort or another.

With the promise of financial incentives for “meaningful use” of EHR technology under federal legislation, medical facilities are scrambling to implement systems before the end of 2012 – the deadline to earn the maximum incentive payment. Although there are plenty of benefits to EHR systems – the ability for multiple providers to access your records to avoid duplication of tests and labs, potential reduction in medication errors, and avoidance of illegible handwritten orders – there are plenty of concerns as well. One of the main concerns is the vulnerability of data hosted electronically. 

In order to prevent an escalation of data breaches, it is essential for federal and state governments to develop stringent standards to ensure encryption of private health information. Currently, the federal HIPAA law, which governs data privacy, does not require providers to encrypt their records. Although hackers may still be able to access encrypted files and layer an additional level of encryption, thereby preventing access by appropriate personnel, requiring encryption would at least prevent hackers from accessing the actual records themselves.

Medical facilities should be required to have extensive back-up and contingency plans in the event their systems fail, a hacker takes over their systems, or for some other reason they are unable to access patient records. Although HIPAA provides for some measure of accountability, recent incidents show that it is only a start.

Erica Cohen is a third-year law student concentrating in health law at Drexel University Earle Mack School of Law. She graduated from the Scripps School of Journalism at Ohio University with a major in online journalism and minors in business and political science. Prior to attending law school, she worked for DKMS Americas, the world's largest bone marrow donor center. She currently works as a legal intern in the office of general counsel at a local hospital.