Who else has accessed your medical data?

Steve Reasner was notified that his medical information was part of a cyberattack at UCLA Health.
(Francine Orr / Los Angeles Times)

Steve Reasner recently learned that because he is a patient at UCLA Health, his personal information may now be in the hands of criminals. The health system’s computer network suffered a cyberattack affecting the personal information of as many as 4.5 million people.

The attack was worrisome. But so was the way he learned about it. He received nine separate letters from UCLA, all of which were addressed to other people. So he called to inquire about his medical data and was told he wasn’t among those affected.

He wasn’t sold.

“All of our doctors are at UCLA. I knew for sure that was an incorrect statement,” says the Westwood resident, who works in technology business development.

Two weeks later he received a letter saying that, in fact, his information was part of the cyberattack.

Now Reasner wonders: “Who else has my data?”

Data breaches like the one UCLA Health recently experienced are a growing problem.


So far in 2015 alone, there have been more than 32 health data breaches as a result of hacking, according to the U.S. Health and Human Services Office for Civil Rights. These breaches typically disclose sensitive personal information, including Social Security numbers, dates of birth and data about patients’ health insurance and other medical information.

“Health records are more valuable to identity thieves than financial records, and they can actually be sold at a premium on the black market,” says David Harlow, a healthcare attorney and author of the blog HealthBlawg.

The biggest concern for consumers whose health information has been stolen, experts say, is medical identity theft — when criminals with access to your health insurance information use it to seek care and rack up medical bills in your name.

See the most-read stories this hour >>

It’s a more complicated crime to resolve than financial theft, with fewer protections in place to help patients whose information is stolen.

“If somebody gets access to your checking account, the bank will reimburse you. If somebody gets access to your health information, there’s a broader range of things that can happen and it doesn’t necessarily un-ring that bell,” says Mark Savage, director of health IT policy and programs with the National Partnership for Women & Families.

Medical identity theft can also dangerously cause someone else’s health data to get intertwined with yours. Another person’s blood type or allergies noted in your medical record can lead to deadly medical errors down the road.

And removing the criminal’s information is no easy task. Health data housed in your medical record — even though belonging to a criminal who stole your identity — are protected by medical privacy laws.

According to a recent study by the Ponemon Institute, a research organization, medical identity theft affected 2.3 million adults in 2014, an increase of roughly 22% since 2013.

Though medical identity theft cannot be completely prevented, experts suggest steps to help minimize your risks.

Share information sparingly. Patients are routinely asked to share their Social Security numbers when seeing a healthcare provider for the first time. But it’s not required to deliver care.

“I recommend patients decline giving it,” says Paul Stephens, director of policy and advocacy with San Diego-based Privacy Rights Clearinghouse.

Sign up for monitoring services. Credit monitoring is a common offering after data breaches, and something experts say consumers should take advantage of. Once you do, actively monitor the reports.

“The important thing is to actually access the website or read the reports, because if you have credit monitoring, that’s great, but all that means is that there may be some slightly elevated bar before someone is able to get a credit card using your particulars,” Harlow says.

“Freeze” out the criminals. Stephens points out that identity protection tools, while helpful, notify you only if something has happened after the fact.

A better approach, he says, is to place a security freeze with all three credit firms (Equifax, Experian and TransUnion).

“It shuts down the ability of anyone to see your credit report. That’s probably the most ironclad protection you can do in terms of new accounts being issued,” Stephens says.

In the event you need to apply for credit you’ll have to temporarily unfreeze the report for a creditor.

Interested in the stories shaping California? Sign up for the free Essential California newsletter >>

Use fraud alert. If freezing all access to your credit isn’t feasible, consider placing a fraud alert on your credit reports.

This tells creditors you’ve been a victim of identity theft and to take extra steps to confirm your identity before extending credit. When you call one credit agency to place the alert, it automatically reports it to the other two, Stephens says.

Fraud alerts are good for only 90 days, but you can renew them indefinitely. Each time you do, you’re entitled to a free credit report.

Monitor your health records. Each of us has the right to a full copy of our health record upon request.

It’s a good idea to request yours to confirm that medical services you didn’t receive aren’t added to your records or charged to your accounts.

Also, examine the explanation of benefits you get from your insurer to make sure there are no payments for services you didn’t receive.

Reasner, whose health information was caught up in UCLA Health’s data breach, says he’ll stay with the health system, but he remains on alert.

“I always felt that UCLA Health was doing a better job of managing their data,” Reasner says. “That was a fallacy.”

Twitter: @lisazamosky

Zamosky is the author of “Healthcare, Insurance, and You: The Savvy Consumer’s Guide.”