MELANIE PAYNE

TELLMEL@NEWS-PRESS.COM

More than 16 million people in the U.S. were victims of a health data breach in 2016, meaning their personal health data and or financial data made them vulnerable to identity theft.

Health-related companies and their business associates are required to report to the U.S. Department of Health and Human Services any data breach affecting more than 500 people. In 2016 there were 325 reported breaches, involving 16,626,135 individuals. Some of those may have been victims of more than one breach but as numbers involving fewer than 500 people aren't in the collected data, I think the 16 million-plus number is probably in the ballpark and could be an under-count.

For Florida-based companies and consumers, last year was a particularly bad one. Two of the top 10 breaches involved companies with headquarters in Fort Myers: Radiology Regional Center and 21st Century Oncology.

The Radiology Regional breach, you may recall, was when documents being sent to a shredder blew out the back of the garbage truck on a windy day, sending them flying all over Fowler Street near downtown Fort Myers.

This breach, although it occurred in late 2015, wasn’t reported to HHS until 2016 so it is recorded in the 2016 data.

The 21st Century Oncology breach was reported in March 2016 but likely began months earlier. Unlike the Radiology Regional mishap, which I think was unlikely to result in much criminal mischief, the 21st Century Oncology breach was a cyber attack. Someone, or more likely some syndicate, broke into the computer system of the company and gained access to more than 2.2 million patient records. That health data breach was the third largest reported in 2016 and helped propel Florida to its third place finish, behind Arizona and New York, for states where companies had the largest breaches.

Tell Mel: Another day, another data breach

James Scott, senior fellow at the Institute for Critical Infrastructure Technology, a cybersecurity think tank, contends that information from health sector is particularly vulnerable to data theft. Scott used phrases such as “Frankensteined systems,” “poor cyber hygiene” and “spear phishing” to describe why the health sector has grown to be such a target.

Because many hospitals are not-for-profit they can’t afford to update their technology, Scott said. So they take old equipment, computers used at nurses’ stations for example, and get the "tech guy to finagle it" so that all the departments can communicate, access centrally stored data, use printers and other peripheral equipment and access the Internet.

Cyber hygiene, keeping a system clean from threats, is most often threatened by bad computer habits. When medical staff opens personal email, cruises the Internet or opens links on Facebook pages while on the hospital computers, it makes a system vulnerable.

Spear phishing, in which hackers send out emails that look like they are from someone you know but really contain malware, is another problem exasperated by poor cyber hygiene. Let's say a busy employee, checking his email, gets a message from someone in payroll about downloading his W-2. If he practiced good cyber hygiene he might first ask, “Do I know this person?” and “Did I ask for my W-2 to be emailed to me?” But what likely happens is he clicks it and downloads it because, he reasons, it didn't come in the mail yet. And just like that, the hacker has access to the entire system.

The financial sector is far ahead of the health sector when it comes to guarding against cyber threats, Scott said. In the financial sector cyber attack the customer is hassled but usually doesn't end up directly losing any money. The bank and the insurer incur the major financial losses.

Tell Mel: Radiology Regional breach involves 483,000

Stolen data from the health sector is different. The company's credibility suffers, it may have to pay a fine and could have to pay for credit watch services for a year for those affected. But the victim is the person whose data is used for nefarious purposes.

The ID protection services will usually detect someone trying to get a loan or open a credit card with your information, Scott said. But they won’t know if a person uses the information to create a new driver license, birth certificate and passport. A seasoned criminal who has a stolen identity, “can be living in Kansas, Wyoming or Winnipeg,” he said, using your identity, "to stay under the radar” of law enforcement or worse -- commit crimes under false identification.

One of the scariest consequences of a data breach is that the information can be used for blackmail, Scott said. “So far we’ve only seen it with celebrities,” he added, but CEOs, politicians or anyone with a health condition they would rather not have disclosed could be at risk.

Most of the 325 incidents reported to Health and Human Services last year were a result of "unauthorized access" of information. The biggest came from the Maryland-based Bon Secours Health System Inc. A company that handles insurance reimbursements for Bon Secours' hospitals in Virginia, South Carolina and Kentucky left its network open for four days in April. That meant Social Security numbers, banking information, insurance ID numbers and even clinical information for 650,000 patients was accessible online.

And although there were fewer hacking/IT breaches reported to HHS in 2016, 110 compared to the 130 for unauthorized access, health data hacking accounted for nearly 13.4 million of the reported individuals affected. So even though it happens less often, it's a much bigger threat with very dangerous consequences.

Contact: TellMel@news-press.com; (239)344-4772; 2442 Martin Luther King Jr. Blvd., Fort Myers, FL 33901. facebook.com/TellMel and Twitter @tellmel Sign up for the Tell Mel newsletter at news-press.com/newsletters