Ricky Lott received a notice in the mail this year that left him distressed. A cluster of companies he never heard of — with odd names like GuardDog and Mammoth — may have obtained his digital medical records. Treatment details, lab results, notes from his doctor visits — mass amounts of his sensitive information — appeared to have been accessed from the Illinois health system where he receives care.
Lott, an employee of a Chicago bike-share company, was stunned. The last thing he expected, he said, was for details of his high blood pressure and back surgery to be circulating in unknown corners of the internet.
“It’s got me feeling down day-to-day, not knowing who has my information or what they are trying to do with it,” said Lott, 41. “I was trusting the system, but it seems like you can’t trust nobody now.”
The disclosure of Lott’s records and those of hundreds of thousands of other patients from health systems across the country underscores the seriousness of security gaps that health IT officials and executives, including within the Trump administration, are now urgently trying to close.
The vulnerability lies in the electronic network used to transfer medical records between hospitals, physicians’ offices and laboratories. It’s the digital backbone of health care that allows, for example, an emergency room doctor where you broke your leg while vacationing in California to call up your full medical history from your home state of New York.
And in the case of Lott and others, no hacking or phishing is required.
Instead, companies came through the nation’s medical records exchange network, according to a lawsuit brought by a group of health providers and Epic, the nation’s largest medical records vendor. In its federal lawsuit, Epic asserts that the companies, under false pretenses, sold the records to law firms mining for prospective clients. But the firms defending themselves against Epic have denied the allegations and say they were performing legitimate services for patients that complied with federal privacy requirements.
In the wake of the data exposures, 75 hospitals and provider companies have called on the government’s contractor that coordinates governance of much of the records-sharing system to adopt tougher vetting standards. They say more policing is required to make sure companies meet the network’s rules by only accessing records to use in patient care and treatment. And they want to weed out companies that could be masquerading as health care providers, as alleged in the Epic lawsuit.
The contractor, the Sequoia Project, said in response to questions that it endorses stronger vetting standards.
The Trump administration said it is committed to security improvements.
“We are actively exploring options to layer in more network oversight and network participant audits,” said a spokesman for the Office of the National Coordinator for Health IT, a division of the Department of Health and Human Services.
The controversy widened in recent weeks as patients like Lott began receiving official notices from health care providers that their most intimate health details have been exposed. Patients affected by the breaches are suing hospital networks and Epic. Lott is suing a company called Health Gorilla, which acts as an on-ramp for providers who are accessing records through the network. His class-action case alleges that Health Gorilla failed to prevent “multiple fraudulent actors from gaining unfettered access to the patient records of millions of healthcare patients.” Health Gorilla also is named as a defendant in Epic’s lawsuit.
Health Gorilla has denied the Epic allegations in court. It said it plans to defend itself in the Lott case and similar class-action cases, “which largely repeat unproven allegations.” In an interview, Health Gorilla CEO Bob Watson said he supports the call for greater federal oversight of the health records exchanges. He said it’s difficult for on-ramp companies like his to handle the job of vetting every entity on the records superhighway.
“There’s no way for me to surveil 50 million-plus transactions a year on the network,” Watson said. “Can’t be done.”
An open door to the dark web
Because your health history — unlike a stolen credit card — cannot change, patient medical records are worth hundreds of dollars on the dark web, according to credit agencies and fraud detection services. A credit-card number is worth as little as $10 to fraudsters.
Unwanted release of medical records can have repercussions for someone’s employment and reputation, especially if they include information about mental health, addiction, sexually transmitted diseases and cognitive decline, experts say.
Companies attempt to cover the tracks of mass downloads by sending fake treatment notes back to the patients’ health systems, according to Epic’s litigation, which then linger in a patient’s record and could negatively affect care.
Epic’s lawsuit lays out how the cases of Lott and an estimated 300,000 other patients are different from ransomware attacks that hackers have launched on health systems across the country in recent years.
The information superhighway that moves medical records between doctors, hospitals and labs rely on fewer than a dozen technology businesses that serve as on-ramps to the network. These on-ramp companies are responsible for vetting thousands of their own clients who use their service to access records. It is this system, Epic and health providers contend in their lawsuit, that is showing signs of stress, by failing to screen out questionable firms.
“What these bad actors are saying is, ‘Oh cool, there’s an open door, and I will claim, for some nefarious purpose, that this is for care and treatment,’” said Aaron Miri, chief technology officer at Baptist Health in Jacksonville, Florida, who has served in national leadership roles for health information exchanges.
Many of the records were accessed by firms that specialize in generating leads for plaintiffs lawyers in class-action litigation, Epic alleges in its lawsuit, asserting these uses violate HIPAA, the federal law that protects patient privacy.
Epic names 18 companies and individuals as defendants in its lawsuit, which was filed in U.S. District Court in California. The company accuses Health Gorilla of turning a blind eye to alleged nefarious activity. The lawsuit asserts that Health Gorilla clients, including Mammoth and GuardDog, obtained material they should not have had access to.
“The claims that Epic and the other plaintiffs are making are pretty seriously damaging, because at the end of it all, this whole system has to be rooted in trust,” said John Hale, a professor of cyber studies at the University of Tulsa.
Mammoth did not respond to requests for comment. In a motion to dismiss Epic’s lawsuit, Mammoth stated, “the Mammoth Defendants never accessed patient records unlawfully or without proper authorization and never misused patient information.”
GuardDog has admitted in a court document that it did not provide treatment and was selling records. GuardDog did not respond to a request for comment. In a previous statement, it said it “has always maintained that it acted in good faith.”
Watson, the Health Gorilla CEO, said if a company lies about its activities to access the network, that would be difficult to detect.
“In three months of researching our clients that were alleged to be bad actors, we found no nefarious activity,” Watson said.
Pamela Jones — general counsel for Reid Health, an Indiana provider that asserts its records were improperly accessed and a plaintiff in the Epic lawsuit — said records of 71 patients were involved in the breach. Victims are understandably alarmed, she said.
“None of them have ever heard of any of these companies. They don’t recall signing any consent. They have no idea why anyone associated with those entities would be in their records,” she said.
HIPAA holes?
Cases like Lott’s and the lawsuit brought by Epic also raise questions about whether HIPAA safeguards consumers in a high-tech era. The Justice Department, which is responsible for enforcing the health privacy law, did not respond to a request for comment on Epic’s allegations.
HIPAA’s rules — which took effect in 2003 — require doctors, hospitals, labs and related businesses (such as medical billing companies and health insurers) to keep a tight lid on patient records. But these mandates do not apply beyond the universe of health-related companies, which critics for years have called a major loophole.
To advocates, those weaknesses are worrisome in an age where health records are being accumulated by tech companies via apps and wearable devices, and as patients are uploading entire medical histories onto AI platforms.
Sen. Bill Cassidy (R-Louisiana), who chairs the Senate Health, Education, Labor and Pensions (HELP) Committee, is sponsoring a bill that would expand HIPAA’s protections beyond the walls of health care companies.
“HIPAA is clearly outdated and ill-equipped to safeguard data in the 21st century,” Cassidy said in an emailed statement.
The privacy rules can be confusing for patients, who often encounter the topic in a stack of forms they sign at the doctor’s office.
Patients are typically asked to sign an acknowledgment that they have been advised of privacy practices under HIPAA, said Adam Greene, a former federal HIPAA regulator and now a partner at the law firm Davis Wright Tremaine. Sometimes, they also are asked to sign a disclosure consent form to allow records sharing for billing or for training purposes, Greene said.
Patients can also sign a release called an “authorization” that permits their medical records be shared further afield. But such patient authorizations — required for a class-action law firm gathering information about individual cancer cases, for instance — are not routinely requested at hospitals and doctors’ offices, Greene and other experts said.
If an actor outside of a health institution violates HIPAA “under false pretenses or for commercial gain,” Greene said, it “could lead to very significant criminal penalties.”
The post These alleged schemes reveal the hidden market for your medical records appeared first on Washington Post.
