A lesson from a hacked healthcare provider: Keep track of your medical history
Leslie Dengler wants to get her annual mammogram, but she can’t compare the results because she doesn’t have access to her previous images.
“I have a pre-existing cyst that seems like nothing, but they are watching it,” she went on to say. “It’s crazy that I can’t get my records.”
Akumin, a multi-state, Plantation-based imaging company, was hit with a ransomware attack nearly three weeks ago, forcing it to shut down its systems. The organization serves as many as 2 million patients. Dengler and others are still attempting to obtain electronic medical scans from Akumni’s 50 Florida imaging centers.
It’s unclear when or if Akumin’s medical files will be fully recovered.
Patients like Dengler are wondering if they should do a better job of remembering their own personal medical history.
Healthcare providers are increasingly being targeted by cybercriminals, who frequently corrupt their data and demand a fee to restore it. According to research published in the Journal of the American Medical Association, the last few years have seen a record number of hacking incidents at healthcare organizations. In Florida, hackers broke into Broward Health’s computer networks in October 2021 and Tampa General Hospital earlier this year. HCA Healthcare, based in Nashville, Tennessee, disclosed a data security breach in July that compromised the personal information of over 11 million people, including patients in Florida. According to the for-profit health system, data containing patients’ names, contact information, gender, birth dates, and locations was stolen from external storage.
This summer, a hospital in Spring Valley, Illinois, closed its doors permanently after failing to recover from a cyber attack.
While Akumin works to restore its systems, it has revealed that patient personal information has been compromised and that “access to certain imaging results from prior years may be currently unavailable.” In addition, the company announced that it is reorganizing under Chapter 11 bankruptcy protection.
“I believe people are realizing they don’t have control over their medical data,” said Ricardo Villadiego, founder and CEO of Lumu, a Miami cybersecurity firm. “On the financial side, if a company suffers a data breach, you should assume your financial information has been compromised and contact your bank and credit card company.” You can change your passwords if they stole your email address. However, if they obtain your medical information, there is little you can do.”
Healthcare organizations are using electronic records and digital services more than ever before, making it easier for cyber criminals to cause disruption and access patient information. While patients can access their records online and even via an app, experts advise keeping a paper copy of reports or a file on your personal computer.
Jill Beer, 66, of Cooper City, said she meticulously records her and her husband’s medical history. “If you ask the records depart of the hospital, they will give you anything,” she went on to say. “Some doctors, such as orthopedists, will provide you with a print-out if you request one.” We request a print-out from every doctor we visit.”
Beer claims her 75-year-old husband fractured his hip and suffered a neck injury. She has written reports as well as CDs containing his MRIs, CAT scans, and X-rays. “These days with healthcare providers getting hacked, you need a paper trail,” she went on to say. “Also, we bring our records with us when we go to the doctor so we don’t forget to ask questions and can provide information if they need it.”
According to Dr. Antonio Wang, president of the Broward County Medical Association and a family medicine doctor in Plantation, every patient has the right to request their health records. “They will give it to you but you have to ask,” that’s what he said. “Perhaps a doctor retires or the practice closes… images can be especially important.” If you go somewhere else the following year, bring your old copy to compare.”
Wang stated that some Akumin patients may have waited months for a doctor or specialist appointment and are now unable to bring their images with them. “It really opens your eyes.”
Healthcare providers must strike a balance between keeping medical data secure and providing access to patients and doctors. “It’s a question of security versus ease of use,” said Amit Trivedi, senior director of Informatics and Health IT Standards. That is what makes your records vulnerable. “For most providers, it’s not a matter of if they will get hacked, but when,” he said.”As a patient this is worrisome.”
Most people believe that their health-care providers will keep their medical records and make them available when needed. Patients rely on MyChart and Zocdoc to centralize their medical records. However, there is a risk involved.
“Most providers, including imaging practices, have increased the number of devices in their medical network… MRI machines, as well as blood pressure and heart rate monitors, are linked to the network. “They may install some kind of protection agent, but they still have blind spots,” said Villadiego of Miami’s Lumu.
Doctors say that keeping your own personal health records is one of the best ways to always have your health information available and to keep track of medications and procedures. It may help you avoid duplicate tests, avoid medication interactions, and provide a complete medical history to a new doctor.
Clearly, getting a printout of your lab results or a summary of an office visit is less difficult than requesting a copy of a large image.
“Some files are larger than a CD.” “The provider can provide you with a low-resolution version, but if you take it to another specialist, they want high-resolution images,” Trivedi explained. “Typically those larger images are transferred directly from provider to provider so they definitely are the tricky pieces of your records.”
While large-scale ransomware attacks become public, Trivedi claims that patients are frequently unaware of hacks that are quickly remedied by health providers. Some businesses pay the ransomware and the attack is kept private. “The problem is that you can’t trust a criminal. These guys are extremely well-organized. In the last few years, we’ve seen companies hit multiple times by different ransomware gangs. It is less expensive to implement the proper defense strategy than to deal with the pressure and disruption caused by an attack.”
However, some businesses are simply not doing enough.
According to Thorsten Stoeterau, a Plantation cyber security expert, the Akumin incident should serve as a wake-up call for patients and providers. Digital records and images dating back ten years or more may be lost.
“Ransomware happens, but there is no excuse not to have a backup,” he went on to say. “There is no excuse for not being able to retrieve data after three and a half weeks.” It means they didn’t have a backup, or their backups were corrupted as well. They were unprepared for a disaster like this and gambled with their customers’ data.”
Akumin’s investor relations director, Jeffrey White, stated that the company’s operations are returning on varying timelines but did not address the potential data loss.
Most people are well aware that hackers have the potential to expose personal financial information. Hackers have compromised retailers, school districts, and even the state’s unemployment system. However, as cyber attacks become more common in the healthcare industry, patients may be less aware that the fallout can impact their ability to access lab or test results, and even cause treatment to be delayed.
“We as a society rely on computers and hope they always work,” Stoeterau went on to say. “We have the option of requesting our health data.” I never considered it until this incident… it might be a good idea.”
