The Value of Your Dental Records and What Happens with Stolen PHI

The Value of Your Dental Records and What Happens with Stolen PHI

HIPAA Compliance can save you hundreds of thousands to millions in fines and penalties. 

The goalposts for HIPAA compliance change due to new requirements the evolution of case law. 

There’s a storm brewing, and you need to listen to this one….It’s gonna cost you. 

In recent years healthcare providers have paid through the nose for HIPAA violations. Their greatest liability? People. Yes, people are the biggest threat to privacy and information security. See all it takes is one of employee to open an e-mail, click on a link, or open an attachment they shouldn’t open (and perhaps not even reports it to you) and you have a reportable (major) breach secondary to a cyber security hack.

Bad guys are getting good at phishing healthcare providers (specifically physician practices and dental offices). Think like a criminal with me for a minute as we discuss why (and then, don't ever think like a criminal again).

 Dental offices do not invest in I.T. security to the degree larger healthcare organizations do. Hackers know this! Your records are worth cash money on the black market (yes, such a thing really exists). Thieves steal dental records to sell. Why? Identity theft. It is BIG business.

Patient records fetch $300 plus per record. Identity thieves pay hackers their cut because the identity thieves will turn around and obtain fraudulent lines of credit and run of thousands, tens of thousands, even hundreds of thousands in debt – effectively cashing out and moving on to the next stolen identity leaving a trail if victims in their wake.

You have to admit, if you could predictably (consistently) trade a few hundred dollars for thousands you would do it all day long. Heck, we all would except in this situation it is illegal. It is innocent victims (patients) who pay the price. It can take years for victims of identity theft to clear their name and repair their credit. Much of the time the thieves are never caught; no one pays for the crime.

     The U.S. Health and Human Services – Office for Civil Rights (OCR) is the agency responsible for investigating HIPAA violations. OCR assesses Civil Monetary Penalties (CMPs) to settle HIPAA violations. CMPs have increased from an average of $100,000 in 2008 to $1.2 million in 2017. A portion of CMPs goes to patients and others affected by breaches of their information to help mitigate identity theft issues. Someone has to pay that bill and it’s not the patients’ fault when a healthcare provider fails to adequately safeguard their patients’ information.

Are you sure the safeguards you have in place are just adequate? I would hope not. Crooks continually craft new schemes to trick healthcare providers into giving them the keys to their patients’ PHI. As sure as that is you should continually be on the lookout for protective measures for the latest threats, as it is not the old tricks that will get you, but the newer, more clever tactics. Such tricks can be very compelling. Click the wrong link, email, or email attachment and can experience a cyber-attack.

The latest craze is called Ransomware. The latest version “Philadelphia” comes as a normal looking e-mail that appears to be from someone you know (and probably trust). The attachment in the e-mail is a Word document (not an obviously strange document format). The sender and body of the e-mail actually looks legit so you or your staff will open it. When you open the Word document or click on a link in the body of the e-mail it contains the name and signature of the provider (again, looks legit). Days later you are notified that your computer, and components attached (goodbye cell phone), is infected (encrypted). Want the decryption key? Bet you do. That will be 2.5 bitcoins (about $500 US dollars), an untraceable currency.

The problem with a cyber-attack is that is requires you to complete a Breach Risk Assessment (BRA). A breach is any unauthorized acquisition, access, use or disclosure of PHI in a non-permitted manner that compromises the security or privacy of the PHI. Every breach (or suspected breach) is a reportable breach until you complete a BRA and then can demonstrate there is a …“low probability that the [PHI] has been compromised”.

When it comes to cyber-attacks is can be very difficult, even with a forensic computer analysis whether PHI has been compromised, so most likely a cyber-attack would be a reportable breach.

Breaches involved PHI of 500 or more individuals requires notification to OCR within 60 days of the DISCOVERY of a breach, notification of affected individuals (patients), and notification of television and print news publications.

May today your best ever!


    Dental Compliance Specialists helps make dental offices safer for patients, dentists and their employees. We help our clients develop and maintain their compliance programs including OSHA/Infection Control, HIPAA, DEA regulations and prescribing practices, Radiation Safety, OIG/Medicaid Compliance, Record Auditing, and more by providing actionable systems, easy-to-use tools, robust training, and accountability. Most of our clients have never been in trouble and want to keep it that way. Sometimes, though, dentists call when they are in trouble. In either case, we are there to make a meaningful difference. If you need help call us at 817-755-0035.

    Previous Article Next Article