Rachel Louise Ensign
Across the country, hospitals and other health care providers are falling victim to schemes that steal large numbers of x-rays, ostensibly for their silver content. It’s a low-tech, tried and true crime. But it’s now sometimes treated as a data breach.The phenomenon underscores the fact that data breaches often involve means other than nefarious hacking into a company’s computer networks. Experts often point out that many breaches involve employees losing or stealing physical items that bear personally identifiable information.
“Often, the x-ray film itself is stamped with certain identifying information. Sometimes the x-rays are still in their jackets,” says Katherine Keefe, head of Beazley Breach Response Services, a part of London-based insurer Beazley. “Seems like a lot of work to go through to get a small amount of silver.”
Under federal data breach rules established in 2009 and clarified this year, hospitals and other so-called covered entities like doctors’ offices often have to report data breaches to the U.S. Department of Health and Human Services, and in many cases, also to the individual patients whose information was involved.
Those guidelines were established by the Health Information Technology for Economic and Clinical Health Act of 2009, which, among other things, builds on the Health Insurance Portability and Accountability Act of 1996, or HIPAA. A new rule that went into effect this year makes it clearer when a breach needs to be reported.
That new regulation, which took effect in March, will likely mean that more data-breach incidents will be reported to HHS, because under the new regulations, the unauthorized disclosure of protected health information is presumed to be a breach, unless it’s proven otherwise, says Keefe.
Over the past few years, Keefe has seen a rise in x-ray thefts. Old newspaper clips, however, document similar heists decades ago. Thieves typically enter a hospital and pose as a legitimate service provider with a reason to take x-rays out of the hospital, for instance as a contractor paid to destroy x-rays. They then take many x-rays and do not return.
The agency posts information online about breaches affecting 500 or more people, and six of the 619 records listed outline similar x-ray stealing schemes. Still, there are numerous other health care providers that in recent years have gone public with thefts, though they are not reported on the HHS site. There have been more than 64,000 reports of breaches affecting less than 500 individuals since the reporting requirement went into effect, said a HHS spokeswoman.
For instance, Sentara Virginia Beach General Hospital in Virginia last year said two men driving a moving truck stole more than 200 pounds of x-ray film, which they accessed by posing as a recycling company. The hospital sent letters to patients believed to be affected, who numbered less than 500. They’ve tightened security measures since, a spokeswoman said.
Susan McAndrew, the deputy director for health information privacy in the office for civil rights at the U.S. Department of Health and Human Services says she’s seen these x-ray thefts for about six years, though she isn’t sure that the new rule will have any impact on how many are reported to the agency. “It’s a gambit that’s been around for a while,” McAndrew said, calling the heists “a curiosity.”
“I mean, who knew?” she said.