Hackers are hot for personal health information — is your vendor safeguarding it?

image of this article's author, Mark Aquilio
Mark Aquilio
Director, information security & compliance

This is the second article in our series about secure data management and data security breach prevention in the healthcare industry and all businesses. In this story, we focus on personal health information as a particular target and why.

Your best friend may not know about the last time you had a medical procedure, but it’s possible a complete stranger might. That’s because 41% of the U.S. population has had at least some personal health information (PHI) compromised by a data security breach. [1] In the last 2 years alone, an estimated 94% of healthcare organizations have experienced at least 1 such cyber security incident.[2]

Does the company that manages your employee and client information have the protocols in place to ensure secure data management? Given the scope of the problem for the business world, the high value of PHI and the changing nature of cyber threats today, it may be the most important question you ask in 2019. This applies whether the data involves a client’s purchasing history or a vision care history.

Did you know, for companies that experience data security threats, the expense of just containing the problem can run into the millions of dollars, depending on its size? [3] Plus, the costs to reputation, employee morale and talent recruitment efforts could extend beyond a dollar amount.

And in 2019, the challenges of preventing data breaches are likely to intensify, particularly among organizations holding PHI. This story examined the overall scope of data breaches across all business sectors. Here, we focus specifically on protecting personal health information, which can carry a much higher price tag on the black market than other data, even credit card numbers and social security numbers (SSNs).[4]

(Note: As standard policy, EyeMed uses unique Member ID numbers generated by our secure system for all member communication, not SSNs. EyeMed prefers that clients only send us the last 4 digits of SSNs. If clients choose to supply any SSN data to us, we mask it and never print the data on member communications).

Recognizing digital piracy

So what might you look for? This is what a data breach can look like at your business:

• You notice a lot of system activity at unusual hours
• Your e-commerce payments have been disrupted
• The company logs have been tampered with
• You find your organization’s confidential data online. [5]

Sometimes, when these clues aren’t obvious, it can take weeks or even months to recognize an incident occurred. In fact, some studies show it can take a company 6 to 7 months, on average, to detect exposed data. [6]

Fortunately, a growing number of resources is making it easier to avoid possible breaches and hacks, as well as their aftermath. Companies that take advantage of security resources are protecting a lot--just 1 million exposed records could cost a company up to $40 million, [7] and it could put a company’s business credit score in jeopardy. [8 ]

And, importantly, there are many other outcomes worth protecting from digital piracy that may be less visible. According to a 2016 study published by Deloitte, “Beneath the surface of a cyberattack,” many of the impacts of breaches are intangible and more difficult to quantify, including costs associated with loss of IP or contracts, loss in value of customer relationships or damage to the value of a trade name. [9]

Ensuring data security: 81 reasons per second

That trust is challenged daily. Every second, 81 data records are lost or stolen across all industries, but personal health information is an increasingly lucrative target.[10]

A person’s electronic medical health records, specifically, could be worth hundreds or thousands of dollars, compared with just 10 cents for an SSN. This is because electronic health records include all demographic information, such as names of relatives, in addition to financial data and credit card numbers. Further, unlike credit cards, you can’t cancel your health information. [11]

Now, as a result, reports show at least 1 healthcare data breach every day. [12] From 2015 to 2017, the sector sustained more than 900 major security breaches, involving 135 million records. [13]

Many of these breaches were likely due to data unintentionally left vulnerable in unsecured environments; to put it another way, the result of human error. [14]

Information security: you should expect it with healthcare data

This is why brokers and employers should expect their benefits companies to be vigilant partners in cyber protection, not merely holders of data. The growing presence of the risk requires open communication, understanding and teamwork with your benefits vendors.

Your vendors should be happy to answer hard questions about its security platform, such as how it is equipped and managed, the security certifications or attestations it holds and the training its staff receives.

It might be worth asking, for example, if the organization’s data center is certified by the Uptime Institute—a global authority on infrastructure performance and reliability as a Tier III or Tier IV data center. You may also want to ask, about reviews of business practices and operations by AICPA-certified third parties.

The acts of collecting and protecting client and employee health information are 2 sides of the same coin, and carry tremendous value. Be sure your benefits vendor puts the highest value on it.

Get started now by reading our 2018 blog, “Who’s watching your data? 6 security questions to ask a potential vendor.” To review EyeMed’s comprehensive approach to data protection and cyber security, check out this brief overview.

Watch for more articles on data security to come from EyeMed.

If you enjoyed this article, you may also want to read:

Questions you should ask benefits companies to make sure your employees’ data is safe
Helping you size up the risks with information security in business and healthcare


1. The HIPAA Journal https://www.hipaajournal.com/security-breaches-in-healthcare-in-the-last-three-years/
2. SecurityMagazine.com https://www. securitymagazine.com/articles/89315-five-steps-to-developing-a-healthcare-information- technology-security-plan
3. SecurityIntelligence.com (2018) https://securityintelligence.com/ponemon-cost-of-a-data- breach-2018/
4. The Washington Post (May 2015) https://www. washingtonpost.com/news/the-switch/wp/2015/02/05/why-hackers-are-targeting-the- medical-sector/?utm_term=.295c46e40605
5. “12 Ways to Know if Your Business Has Been Breached,” LeapFrog, March 1, 2018https://leapfrogservices.com/how-do-you-know-if-your-business-has-been-breached/ accessed Dec. 28, 2018
6. Ponemon Institute 2018 Cost of a Data Breach Study: Global Overview (pg. 4) https://www. csoonline.com/article/3251606/data-breach/what-does-stolen-data-cost-per-second.html
7. SecurityIntelligence.com (2018) https://securityintelligence.com/ponemon-cost-of-a-data- breach-2018/
8. “Risky Business: The Hidden Costs & Impact of Business Data Breaches” by Donna Parent, Fighting Identity Crimes, Sept. 25, 2018 https://www.fightingidentitycrimes.com/hidden-costs-impact-of-business-data-breaches/; accessed Dec. 28, 2018
9. “Beneath the surface of a cyberattack: a deeper look at the business impacts.” Deloitte Development LLC, 2016. Accessed March 4, 2019 at https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-risk-beneath-the-surface-of-a-cyber-attack.pdf
10. "Data Privacy and New Regulations Take Center Stage"; 2018 Breach Level Index Report by Gemalto; accessed October 2018.
11. “Your Electronic Medical Records Could Be Worth $1000 To Hackers,” by Mariya Yao, Forbes.com, April 14, 2017,
https://www.forbes.com/sites/mariyayao/2017/04/14/your-electronic-medical-records-can-be-worth-1000-to-hackers/#28c00ef050cf; reviewed Jan. 4, 2018
12. “Healthcare Data Breach Statistics,” HIPAA Journal, https://www.hipaajournal.com/healthcare-data-breach-statistics/; accessed Dec. 28, 2018
13. The HIPAA Journal https://www.hipaajournal.com/security-breaches-in-healthcare-in-the-last-three-years/
14. “What is a Hack Vs. What is a Data Breach: Cybersecurity 101), by Eitan Katz, Dashlane Blog, April 12, 2018, https://blog.dashlane.com/hack-vs-data-breach/; accessed Dec. 28, 2019