Patient privacy is one of the staples of health care, and one that is increasingly posing a major concern to patients. The knowledge that the information is so exclusive and only accessible to a trusted number of people is an essential part of treatment, as it makes patients more willing to share and gives doctors a better understanding of their health. In the wake of the Supreme Court’s ruling in Dobbs vs. Jackson’s Women’s Health Org., there has been growing uncertainty and fear regarding the future of a Constitutional right to privacy, with healthcare being a central issue. More recently, however, patient privacy has faced further challenges: it is being breached through cyberattacks.
In February 2024, Change Healthcare, which is affiliated with UnitedHealth Group, a large scale company with a wide reach across many healthcare sectors across many different sectors of the health-care system, was hacked by a ransomware group. This led to issues with billing. Some providers and hospitals were unable to bill for their services, leading to loss of revenue. Other problems resulting from the cyberattacks including an inability to discharge patients from hospitals and security issues in a world of digitized patient records.
This is not the only example of cyberattacks in the healthcare industry. Also in February 2024, Lurie’s Children’s Hospital in Chicago fell victim to a hack that prohibited hospital staff from accessing patient records and patient-doctor communication. Additionally, the popular ancestry-tracking website 23andMe was hacked in December of 2023. While 23andMe is not necessarily associated with the healthcare industry, 23andMe accounts hold user’s DNA information including family trees and user-health information associated with their accounts, further breaching health privacy.
This raises important questions about how patients can feel safe in continuing to share their information with providers and hospitals. How does a patient know if their information is safe, or will stay safe? Appointments can fall into a routine, where the patient is brought into the exam room to answer questions about themselves and their lifestyle without much thought about what might happen to that information. Some of the questions may seem more related to the appointment than others, but all that information is notated and accessible to the care team in hospital records, more digitally accessible in today’s world than ever before.
There are laws and regulations that physicians must follow in regard to patient privacy, but they may not be enough to instill confidence in patients following the cyberattacks, prevent them from happening, or take the responsibility off of patients’ shoulders. What can patients expect from their healthcare providers, and what do patients have to take upon themselves to protect their medical privacy?
There are a number of authorities that physicians turn to regarding patient privacy, some in the legal field and some not. Under federal law, the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) places several restrictions on the use and disclosure of individual patient information and medical records. Therefore, hospitals and hospital employees are legally prohibited from sharing sensitive patient information (with some exceptions involving public health). Additionally, the Privacy Rule under HIPAA sets criminal penalties for those who unlawfully obtain individually identifiable medical records, so hacking aside, it is possible that there are individual criminal punishments in store if the cyber-attackers are caught. However, this does not provide much quell growing concerns about the safety of patient records, as criminal punishment after the fact does not prevent hackers ahead of time – it only provides possible support after the cyberattack takes place if the hackers are caught and prosecuted.
The American Medical Association (AMA) Code of Ethics has policies set in place to protect patient privacy. The AMA determines that doctors are to notify patients if there is a major privacy breach on their medical records. Therefore, in theory, patients should not have to worry about cyberattacks happening completely without their knowledge. However, this also does not do much to protect patient data ahead of time or give personal legal recourse after falling victim to a cyberattack.
Beforehand, professionals say patients can also monitor their privacy themselves. General security protections can help avoid cyberattacks, like complicated passwords and monitoring medical billing activity can keep them aware. This faces the same problems as the other protections and does not actively give any guarantee of safety or legal recourse if a cyberattack does happen.
In all, with medical privacy and rights being called into question after Dobbs, cybersecurity concerns are escalating fears and insecurity in a digital world. The preventative measures available may only affect the extent of the hack and provide the patient with notice if they are targeted, but there are not sufficient measures and protections ahead of time or legal recovery after the fact. After a cyberattack, patients may feel violated and scared, but the ability to bring a successful lawsuit or see a criminal indictment may be slim. Going forward, patient privacy needs to take priority, and the health law field across the board must take more steps to help digital medical records remain protected in a time where some privacy in healthcare faces an uncertain future.