Random Image Display on Page Reload

Your Medical Data Is Code Blue

Medical data companies aren’t doing all they can to protect your most private information. When they get hacked and patient data is stolen, it’s the patients who suffer.

Rows of medical records

Photograph: Benjamin Rondel/Getty Images

Until last November, I had never heard of Perry Johnson and Associates. But they had heard of me. In fact, without my knowledge, they had information about me that even my closest friends and relatives might not know. Because the company provides “transcription and dictation” services to Northwell Health, a medical provider that has treated me in the past, they had access to what they refer to as “certain files containing my health information as well as other personal data.” This might have included my name, birth date, address, and medical record number, and information about my medical condition—including admission diagnosis, operative reports, physical exams, laboratory and diagnostic results, and medical history, which could include family medical history, surgical history, social history, medications, allergies, and/or other observational information.

This was all laid out to me in a letter dated November 3, 2023, informing me that at least some of my information was now in the hands of an “unauthorized party” who had penetrated their system between March and May of 2023 and apparently engaged in an undetected downloading spree. Though the letter didn’t mention it, I was one of almost 10 million people affected, out of multiple health care providers in multiple states.

The word “sorry” did not appear in the letter. But, it assured me, Perry Johnson and Associates “take(s) this incident very seriously.” What a relief! Anyway, it now was promising to “update our systems to prevent incidents of this nature from occurring in the future.” Which begs the question: Why weren’t those systems updated before?

The words “we apologize'' did appear in a disturbingly similar letter I received later in November, from East River Medical Imaging. Between August 31 and September 20 its system was penetrated, and the documents that were accessed or copied might have involved my name, contact information, exam and/or procedure information, and even images from my medical tests. But East River is taking my privacy and security very seriously! Not enough apparently, to do anything to mitigate my loss. “The letter did remind me that it’s always a good idea to review health care statements to identify fees for services unreceived. Has that letter writer ever managed to decode a list of medical charges?

At least my DNA information wasn’t compromised … oh wait, I almost forgot an email I received from 23andMe in October saying that information shared with DNA relatives may have fallen in the hands of those seemingly ubiquitous unauthorized users.

Notice a pattern? Everyone knows that data like credit cards and even Social Security numbers are routinely purloined. But as medical records became digitized, we were assured that extra care would be taken to protect them. There’s even a law, known as HIPAA, to assure that those super sensitive files would stay out of the hands of cyber-villains. But that’s clearly not happening. It’s the responsibility of the US Health and Human Services Office for Civil Rights to investigate incidents affecting more than 500 people. It's currently looking into more than 500 breaches reported last year. That’s nearly twice as many as the previous year.

That’s a huge problem because the theft of insufficiently protected medical information goes much deeper than financial risk. The remedy offered to me and millions of others by Perry Johnson was a year’s worth of identity-theft monitoring from Experian. This doesn’t begin to relate to the real risks. “There are a whole range of harms that can follow a person far beyond financial impacts when we talk about targeting people based on their health vulnerabilities.” says Andrea Downing, cofounder of an grassroots activist organization called The Light Collective, which advocates for responsible medical data stewardship. “People can be targeted based on their health vulnerabilities and become easy fodder for medical fraud.” The medical information of nearly 10 million people would be an invaluable resource to drug marketers, insurance companies, and manufacturers of bogus medical devices. And unlike personal finance information, there’s no way to make that information moot. You can get a new credit card or a new bank account, but you can’t get a new medical history.

In the age of generative AI, the theft of huge troves of medical information might be even more dangerous, as our health records wind up in data sets that enable off-the-books innovation in exploiting our ails.

It’s true that there is no such thing as perfect security. But companies storing medical records must at the least adopt state-of-the-art protections. The almost invariable promises to improve security after records are stolen contradicts the endless assurances that these companies and institutions take security seriously. Nonetheless, compared to the amount of damage those breaches can cause, those companies almost never suffer significant sanctions. The list of settlements (cases are almost always resolved that way) show minimal fines, usually in the tens or hundreds of thousands of dollars. Even one of its biggest penalties, a $5.1 million settlement with Lifetime Healthcare Companies in 2023, was just a rounding error for the $6 billion company. Of course, Lifetime also agreed to fix the vulnerabilities that shouldn’t have existed in the first place.

Maybe if those so-called leaders got their own letters—ones that fired them, with no golden parachutes—the rest of us would have fewer of those bad-news mailings in our own postboxes. But when I floated this idea to Downing, she said that penalties alone won’t solve the problem. She argues for what she calls a community approach where patient representatives are involved in setting up the security infrastructure that safeguards their information. But whether we adopt a carrot or stick approach, we need tougher laws to make sure the companies make changes. As Downing pointed out to me, Congress is now rightfully energized about social media’s failings in protecting the information of minors. How many more breaches will it take before it gets similarly engaged in enforcing standards on our most private information?

For now, my medical data is gone, and all I’ve got to show for it is that PJ&A letter and a lousy year of Experian protection. So I wondered: Just who is Perry Johnson and Associates? Has its boss lost his job for what seems to be a massive screwup?

Nobody at the firm replied to my queries. But my “You’ve Been Hacked” letter provided a toll-free number for those who have “any questions regarding the incident.” The person who got on the line, though, didn’t have much in the way of answers that went beyond the letter. I got a boiler-room vibe from the call, and asked where she was speaking from. “We don’t share our personal information,” she said, unaware of the irony.

Through some internet sleuthing I did find out that the eponymous Perry Johnson is a Michigan businessperson who had founded a network of tech-related corporations, including the one that does medical transcription and fails to safeguard personal data. That company is rather circumspect on who runs it—you can’t easily find the name of the CEO on its website. But various news sites and trade organizations identify him as Jeffrey Hubbard. His LinkedIn profile describes him as a “Chief Executive and Health Tech Care Innovator,” and self-reports that he has grown his company from a tiny operation in 2006 to “one of the largest privately held medical technology companies in the United States.” According to the profile, he’s still leading that company. But oddly, the profile doesn’t identify the company he leads—instead, where “Perry Johnson and Associates” should appear, he just says the word "confidential." I wish he had been as withholding when it came to the medical information of me and almost 10 million others.


Image may contain Label Text Symbol and Sign
Time Travel

My July 2005 Newsweek story, “Grand Theft Identity,” shows not much has happened in the past 19 years to address a cybersecurity problem that has grown only worse. At least back then, the medical industry had yet to make the pivot to electronic records. In that story, I talk about how legislators were considering serious sanctions for companies that compromised consumer data by not employing best practices. Nineteen years later, they’re still getting wrist slaps.

Millions of Americans now have a new reason to dread the mailbox. In addition to the tried-and-true collection of Letters You Never Want to See—the tax audit, the high cholesterol reading, the college rejection letter—there is now the missive that reveals you are on the fast track to becoming a victim of identity theft. Someone may have taken possession of your credit card info, Social Security number, bank account or other personal data that would enable him or her to go on a permanent shopping spree—leaving you to deal with the financial, legal and psychic bills.

Deborah Platt Majoras got the pain letter last week, from DSW Shoe Warehouse. Hers was among more than a million credit card numbers that the merchant stored in an ill-protected database. So when hackers busted in, they got the information to buy stuff in her name—and 1.4 million other people's names. "It's scary," she says. "Part of it is the uncertainty that comes with it, not knowing whether sometime in the next year my credit card number will be abused." Now she must take steps to protect herself, including re-examining charges closely, requesting a credit report and contacting the Federal Trade Commission to put her complaint into its extensive ID-theft database. The latter step should be easy for her, since Majoras is the FTC chairman.


Image may contain Symbol
Ask Me One Thing

Rebekah asks, “I’m still reading WIRED on the page after 30 years, but in 2053, what will reading WIRED look like?”

Thanks Rebekah, for reading and asking. It’s no secret that printed periodicals are struggling. National Geographic no longer festoons newsstands with its lemon-yellow borders. Businessweek is no longer weekly, and will relaunch as a monthly. Here at WIRED, we still print beautiful magazines, but skip some months.

You’re asking for a peek into what might happen when our 30-year old brand doubles its age. For one thing, it would constitute quite a triumph to have a vital WIRED in 2053. I remember what I told myself when founding executive editor Kevin Kelly asked me to write about cypherpunks for the second issue of what he assured me would be the Rolling Stone of the digital revolution. “I shouldn’t count on getting paid for this,” I thought, “Because there might not be a second issue.” I was paid, and am now on the payroll! So there. So happy to be wrong on that count.

With that lesson in mind, I will choose optimism. Obviously, 30 years from now we will be consuming much of our media in a different fashion. It could be that the bulk of our conversation will be conducted with AI bots. Instead of physical screens, our eyeglasses might be beaming text directly to our eyeballs. If Elon Musk has his way, we’ll have chips in our brains for a more direct connection—that is, if we don’t suffer the fate of the monkeys that beta-tested early Neuralink experiments.

Nonetheless, I bet that those consuming WIRED in 2054 will have an option for a sumptuously printed version. Even as our eyes are glued to the screen now, people still appreciate the experience of a wonderfully curated physical package. WIRED has as good a shot as any as having a version where you can turn real pages. My only advice to my future colleagues: Don’t spare the neon colors. Some things must never change.

You can submit questions tomail@wired.com. Write ASK LEVY in the subject line.


End Times Chronicle

Not even two weeks into 2024, and we’ve already broken records for rainfalls. Doors are blowing off planes in midair. The New York City subway has had two derailments. And the US elections haven’t even started yet.


Image may contain Label Text Symbol and Sign
Last but Not Least

It's not just medical data being exposed—school records are also being routinely purloined, including emergency planning documents.

Here’s all the cool stuff at CES.

Why you should fall out of love with those trendy Stanley cups.

Our writer discovered the lost David Lynch script for Dune II. Was it in the tranquilizer aisle at CVS?


Image may contain Logo Symbol Trademark Text and Label

Don't miss future subscriber-only editions of this column.Subscribe to WIRED (50% off for Plaintext readers)today.

*****
Credit belongs to : www.wired.com

Check Also

Sellers Call Amazon’s Buy Box ‘Abusive.’ Now They’re Suing

Joel Khalili Business Jun 13, 2024 5:00 AM Sellers Call Amazon’s Buy Box ‘Abusive.’ Now …