Just before Christmas, the Nevada Division of Public and Behavioral Health’s Medical Marijuana Program discovered a data breach that resulted in the publication of more than 11,700 names, phone numbers, home addresses, birthdates, driver’s license numbers and complete Social Security numbers of Nevada marijuana dispensary applicants.
Technology news site ZDNet reported that a vulnerability was discovered by a “security researcher” who reported the breach. The program immediately shut down the application portal (where the vulnerability was located) and is in the process of notifying those individuals whose information was disclosed. The timing of the original breach is currently unknown as is how long the subject records have been vulnerable and whether or how many times they have been accessed, downloaded, etc.
This breach highlights the vulnerability of sensitive information and the importance of secure information technology for health care businesses. In this instance, no patient data was disclosed, but the shutdown is the second in December for the medical marijuana portal, which houses information on both applicants (including owners and employees of dispensaries) and cardholders (i.e. patients who have been approved to obtain marijuana by their doctor). The first shutdown was less than three weeks prior, when the division self-reported “some vulnerabilities” in the system. Representatives from the Division pointed out that only a part of one of multiple databases was compromised and that patient data is still “considered to be secure.” But that conclusion appears questionable given the past 30 days.
Medical information is widely considered to be the most valuable data on the black market. It has been posited that your medical information is worth up to 10 times that of your credit card information. This is because these records, much like the records recently compromised by the State of Nevada, include names, dates of birth and social security numbers, as well as policy numbers and billing information. This information can be easily and quickly employed for insurance fraud — and unlike credit card data, often goes unnoticed (like the medical marijuana hack) for a significant amount of time. After all, how many of us closely monitor our health insurance billing records?
In addition to the value of the data, the reticence of the health care community in upgrading its systems (hardware and software) as well as its security protocols and procedures, has made health care targets that much more appetizing for cybercriminals. While the state has referred this breach to law enforcement officials, local law enforcement is ill-equipped to track hackers and the chances of an arrest or even identifying a person of interest are nearly zero.
While there is little that can be done to decrease the black-market value of medical records, much can be done about the vulnerability of health care businesses and institutions. Just like a jewelry store is likely to have better security than a T-shirt shop, so should health care data be protected with greater intensity than bulk email or credit card information. Many are turning to cloud-based solutions because of the increased protection and redundancy they offer.
Using “walled gardens,” real-time backup and other advanced security measures, the modern cloud offers nearly impenetrable protection at a far lower cost than can be expected from even a small data breach — as health care information breaches can lead to large liabilities for organizations under the Health Insurance Portability and Accountability Act of 1996 (commonly referred to as “HIPAA”).
Those health care businesses and institutions who do upgrade their security will enjoy the protection of simply not being “low-hanging fruit.” In any case, consumers and business owners are encouraged to start asking questions and seeking protective solutions. Despite the robust protections promised by the state’s representatives with the sensitive information surrounding the sale of marijuana, this information is now public. The sufficiency of data protection provided by health care organizations under far less scrutiny is questionable, making personal data likely far less safe.
Glenn H. Truitt, Esq., is a partner with Las-Vegas-based iDeal Business Partners. You can contact him at glenn@iDealBusinessPartners.com.