September 1, 2016

VIPs and Presidential Candidates' Medical Records Face Heightened Privacy Vulnerabilities

Cate Stanton

Earlier this year, Jackson Memorial Hospital fired two employees for inappropriately accessing Giants defensive end Jason Pierre-Paul’s medical records. The two employees sold the information in the VIP’s record to ESPN’s Adam Schefter. Schefter, who has 5.19 million Twitter followers, tweeted the records while Pierre-Paul had surgery on his right index finger. Pierre-Paul sued ESPN and the NFL for violating his privacy under HIPAA, and in August, a judge ruled that Pierre-Paul could move forward with his lawsuit. This summer, the major-party U.S. Presidential candidates are facing scrutiny over their health records and history. They are under pressure to refute false claims and respond to amateur diagnoses circulating via various media outlets.

Squarely in-between VIPs and a public clamoring for ever-increasing information about them, healthcare providers often find themselves in situations where protecting their patients’ electronic health records and the ePHI they contain is especially challenging. In this new Patients At Risk blog series, we share insights into why dealing with sensitive patient data requires heightened and proactive privacy analytics. In this first blog post of the series, we will focus on the challenges and increased risks that arise when the patient is a VIP or public figure.

Over the next few weeks, we will discuss six common situations that increase healthcare institutions’ risk of data breaches when working with electronic health records:

  1. VIPs & Public Figures
  2. Family & Snooping Employees
  3. Criminal Insiders
  4. Phishing Attacks
  5. Contractors
  6. Lost or Stolen Laptops

The Protecting VIP Privacy white paper details how your healthcare organization can better protect this particularly vulnerable patient population.

Acknowledging a Heightened Threat Level for ePHI

VIPs and public figures certainly have access to many perks, including adoring fans, special treatment, and influence. These benefits come with associated costs. One of the most obvious is the public’s constant interest in celebrities’ personal affairs. This interest is fed by a media industry fighting for eyeballs with financial incentives to be first to release a story, if not always an accurate one. As we see through daily headlines, the media goes to great lengths to get the inside scoop on a VIP-related story, and this has proven to be relevant to the healthcare industry.

According to the CIO of a hospital that frequently treats VIP patients, “As soon as a celebrity checks in, we see a huge spike in our hacking attacks, because people want to see the records of that celebrity.” However, threats don’t only come from outside hackers. They can also stem from within healthcare systems when employees snoop in records they are not authorized to see. The average settlement for a hospital HIPAA breach is $558,502, and is even higher for breaches affecting VIPs. Breaches affecting single VIPs can result in settlement amounts in the hundreds of thousands or millions of dollars.

Health History Becomes an Important Story in the 2016 Election

This fall, the VIPs facing the highest levels of media scrutiny are Hillary Clinton and Donald Trump. The candidates and their surrogates badger each other to release their most recent healthcare records, and so do voters, pundits and medical professionals. Clinton and Trump are the oldest major-party presidential nominees in history and appear less willing than previous candidates to share information about their respective health.

In 2015, Clinton and Trump released brief summaries of their medical histories. In a few paragraphs, Trump shared information about his blood pressure, cholesterol level, past medications and family history. Clinton’s letter discussed a concussion she suffered a few years prior, a point that the opposition jumped on, leading them to deem her unfit for the role. The letter also listed a number of hospitals where she had been treated. Most recently, Clinton opposers circulated fake health records based on wholly fabricated illnesses in an effort to make her appear even more unfit for the role.

The desire to learn the details of the presidential candidates’ medical records that include histories, public knowledge of facilities where they previously received treatment, and the financial and political incentives for a scoop, create a heightened threat environment. It wouldn’t be surprising if the candidates’ healthcare providers are under increased threat from reporters, activists, and social-engineering hackers trying to pry information from employees in exchange for thousands of dollars.

While public figures receive different considerations when it comes to privacy protections, a privacy breach is as serious for them as it would be for any reader of this post. And, for the institution where the breach occurred, it would have ruinous reputational and financial effects. 

Proactive Patient Privacy Analytics (P3A) Reduces Risk to VIPs and Healthcare Systems

How can we ensure that candidates and public figures’ private health information doesn’t unexpectedly appear on the front pages of media outlets, on wikileaks, or other forums? How can hospital Chief Information Security Officers and Chief Privacy Officers achieve greater confidence that their institutions’ medical records are safe from internal and external threats?

Proactive patient privacy analytics platforms (P3A) address the needs of both VIPs and healthcare organizations by automatically detecting and flagging inappropriate activity resulting in low-effort, high-impact layers of security. Traditional rule-based solutions do not suffice because they do not automatically define a VIP or anticipate the myriad of combinations of events that could affect these patients’ privacy. Rather, a proactive platform, designed in the right way, should automatically detect VIP patients as they are admitted or add heightened privacy protections in moments when their information is at high risk.

All people, whether VIPs, your neighbor, or both, deserve privacy when they interact with healthcare providers. Through proactive analytics protection, both patients and healthcare providers reinforce the sacred trust between them. Patients understand that hospitals are minimizing risks to their ePHI and hospitals know they are receiving actionable intelligence to act before issues make local or national news. For both VIPs and hospitals, success is measured not through public celebration of protecting privacy, but rather a quiet news cycle in which neither is thrust into the spotlight.

Download our Protecting VIP Privacy white paper to learn more about how proactive patient privacy analytics platforms are a critical step in better caring for high-profile patients.

Request White Paper