A lesson from a hacked healthcare provider: Keep track of your medical history
Leslie Dengler wants to get her annual mammogram but she doesn’t have access to her previous images to compare the results.
“I have a pre-existing cyst that seems like nothing, but they are watching it,” she said. “It’s crazy that I can’t get my records.”
Nearly three weeks ago, Akumin, a multi-state, Plantation-based imaging company was hit with a ransomware attack and shut down its systems. The company provides services to as many as 2 million patients. Dengler and others are still trying to access their electronic medical scans from Akumni’s 50 Florida imaging centers.
When, and if, Akumin’s medical files will be fully recovered remains in question.
The situation has patients like Dengler contemplating whether they need to do a better job retaining their own personal medical history.
Cyber criminals are increasingly targeting healthcare providers, often corrupting their data and demanding a fee to restore it. The last few years have seen a record number of hacking incidents at healthcare firms, according to research published in the Journal of the American Medical Association. In Florida, hackers breached the computer networks of Broward Health in October 2021 and they hit Tampa General Hospital earlier this year. In July, Nashville, Tennessee-based HCA Healthcare revealed a data security breach that compromised the personal information of more than 11 million people, including patients in Florida. The for-profit health system said data was stolen from external storage and included patients’ names, contact information, gender, birth dates and locations.
A hospital in Spring Valley, Illinois, shut its doors for good this summer after it was unable to recover from a cyber attack.
As Akumin tries to restore its systems, it not only revealed that patient’s personal information has been compromised, but also admitted “access to certain imaging results from prior years may be currently unavailable.” The company also announced it is reorganizing under Chapter 11 bankruptcy protection.
“I think people are beginning to realize they are not in control of their medical data,” said Ricardo Villadiego, founder and CEO of Lumu, a Miami cybersecurity firm. “On the financial side, if a company has a breach, you can assume your financial data was compromised and contact your bank and credit card company. If they stole your email information, you can change your passwords. But if they get your medical data there is little you can do.”
Healthcare companies more than ever are using electronic records and digital services, giving cyber criminals an easier pathway to cause disruption and tap into patient information. While patients can access those records online and even through an app, experts recommend keeping a paper copy of reports or a file on your personal computer.
Jill Beer, 66, of Cooper City said she keeps meticulous medical records for herself and her husband. “If you ask the records depart of the hospital, they will give you anything,” she said. “Some doctors, like orthopedists, will give you a print-out if you ask for it. Every doctor we go to, we ask for a print-out after the visit.”
Beer said her husband, 75, fractured his hip and also has a neck injury. She has written reports and CDs of his MRIs, CAT scans and X-rays. “These days with healthcare providers getting hacked, you need a paper trail,” she said. “Also, we bring our records with us when we go to the doctor so we don’t forget to ask questions and can provide information if they need it.”
Every patient has the right to ask for their health records, said Dr. Antonio Wang, president of the Broward County Medical Association and a family medicine doctor in Plantation. “They will give it to you but you have to ask,” he said. “Maybe a doctor retires or the practice closes … it can be especially important with images. If you go someplace else the next year, you will want bring your old copy to compare.”
Wang said some Akumin patients may have waited months to get a doctor or specialist appointment and now they can’t get their images to bring with them. “It really opens your eyes.”
Healthcare providers confront a balance between making medical data secure and giving patients and doctors access. “It’s security versus ease of use,” said Amit Trivedi, senior director for Informatics and Health IT Standards. And that’s what can make your records vulnerable. “For most providers, it’s not a matter of if they will get hacked, but when,” he says. “As a patient this is worrisome.”
Most people trust their health providers to retain their medical records and make them available when needed. Patients rely on MyChart and Zocdoc to keep medical records in one place. But that comes with a risk.
“Most providers have increased the number of devices in their medical network, including imaging practices … MRI machines are connected to the network, as are blood pressure and heart rate devices. They may install some agent of protection, but they still get blind spots,” Villadiego of Miami’s Lumu said.
Maintaining your own personal health records is one of the best ways to always have your health information available as well as keep track of medications and procedures, doctors say. It can potentially eliminate duplicate tests, avert medication interactions and allow you to give a new doctor your complete medical history.
Clearly it can be less complicated to get a print-out of your lab results or a summary of an office visit than to request a copy of a large image.
“Some files can be bigger than a CD. The provider does have the ability to provide you a low-resolution version, but if you take to another specialist they want high-resolution images,” Trivedi said. “Typically those larger images are transferred directly from provider to provider so they definitely are the tricky pieces of your records.”
While large-scale ransomware attacks become public, Trivedi says patients often are unaware of hacks remedied quickly by health providers. Some companies pay the ransomware and the attack remains private. “The thing is, you can’t trust a criminal. These guys are very organized. We see companies in last few years hit multiple times by different ransomware gangs. It is cheaper to implement the right strategy of defense versus dealing with the pressure and disruption created by an attack.”
But some companies just aren’t doing enough.
Thorsten Stoeterau, a Plantation cyber security expert, says the Akumin situation should be a wake-up call for patients and providers. Ten years or more of digital records and images could be gone.
“Ransomware happens, but there is no excuse not to have a backup,” he said. “No excuse for after three-and-a-half weeks not to be able to get data back. It means they didn’t have the proper backup, or their backups were corrupted too. They weren’t prepared for a disaster like this and played Russian roulette with their customers’ data.”
Jeffrey White, Akumin’s investor relations director, said the company’s operations are coming back on differing timelines but did not address the potential data loss.
Most people are well aware that hacks could expose personal financial information. Retailer, school districts and even the state’s unemployment system have been hacked. But as cyber attacks become more common in the healthcare industry, patients may be less aware that the fallout can affect their ability to access lab or test results, and even delay treatment.
“We as a society rely on computers and hope they always work,” Stoeterau said. “We have the ability to request our health data. I never thought about it until this incident … it might be a good idea to do so.”
Cindy Goodman covers health for the Sun Sentinel. She can be reached at cgoodman@sunsentinel.com. She welcomes tips and news suggestions.