LabCorp, America’s largest diagnostics service, reported a breach over the weekend that affected more than 2 million patients.
Missing from this week’s news coverage, however, is that the breach of the lab testing service compromised some of the most sensitive health data imaginable: HIV blood test diagnoses.
Over the past decade, the lives of HIV-positive patients have drastically improved. However, an increasing threat to our patients' privacy could have lasting repercussions that particularly impact these vulnerable patients. As of January 2018, 1.7M patient records were breached by healthcare employees just this year, with 5.6M records breached in total. There is an average of at least one breach per day, and 2016 had approximately 27M records breached over the course of the year. This alarming trend in breaches of patient data, which threatens to expose the highly-sensitive information of this vulnerable population and degrade trust in our nation's Health IT infrastructure, is an increasing concern for patients with health information they would prefer to keep private.
A patient’s trust in their healthcare providers can become more than a concern for patients who have been diagnosed with HIV - it can become an obstacle to care. From the young man at our clinic who refused an optimal medication regimen because it would require him taking the drug at work, where others might see it, to the story of a brilliant professional whose life was tragically altered by his inability to hold down a job or a home, given his paranoia and distrust of those providing his care, HIV remains more than a disease to be treated - it is a fundamental shift in the way that many patients view themselves and their dependency upon our healthcare system.
In the clinic where we worked, we had a patient, Peter*, whose treatment was complicated by no end of challenges, not the least of which was his perpetual paranoia. It took years for him to warm up to people, and you could lose it in a minute with a stray comment or a scribbled note at the wrong time. He would constantly wonder what we were putting in his record, and who had access to it. He would have periods of avoiding care or even completely avoiding contact with those who cared for him because he believed we were plotting against him or had a secondary agenda. In the end, he died from an infection that was completely manageable had he come in regularly, taken his medication, and believed in his care team. Peter died not from a lack of available options, but from a lack of trust. This example is stark, but one that is cause to reflect - how much can we degrade trust in our systems, in our data, in our records, before stories like Peter’s become the norm.
HIV-positive patients represent one example of a vulnerable population - a group of patients who, due to systemic challenges associated with their race, age, socioeconomic status, specific diagnosis, or an array of other factors, receive worse care and poor outcomes than other patients. Like many vulnerable populations, HIV-positive individuals are often members of more than one vulnerable population, suffering from compounding effects that make their care even more challenging. A significant reason that HIV-positive patients receive poor care to this day is that they are expected to provide information to an untrustworthy system, and even the smallest hesitancy or withholding may conceal the onset of an illness that could be fatal for someone with a severely compromised immune system, or a complex cocktail of drugs preventing the onset of AIDS.
Patients without HIV/AIDS suffer a wide array of challenges and indignities when their health records are stolen or exposed, ranging from identity theft, to medication fraud, to insurance fraud. They can spend years untangling a web of crimes committed in their name. Given the powerful incentives for theft of health records, these crimes continue to increase in frequency and severity with each passing year. Beyond these challenges, patients with HIV/AIDS whose records are exposed face a whole additional array of challenges. The continued stigma of HIV could lead to a situation where they lose their friends, family and job - the entirety of their social support network could fall out from under them. Being “outed” as HIV-positive may also reveal other elements of a patient’s past and present that they would prefer to keep private, as is their inarguable right.
The ability to protect the data of patients with closely guarded diagnoses, like HIV/AIDS, continues to be a critical challenge for health systems across the country. We have to ask: why must patients be forced to choose between receiving the care they need and maintaining their privacy and dignity?
With the ever-increasing attacks on patient data and the high price of medical records on the dark web, it’s time for healthcare to acknowledge that more needs to be done to protect our patients. Our systems to protect patient data are antiquated, and we spend less than 20% of what other industries spend on cybersecurity, all in defense of data that is more valuable than that of any other field. There are innovations in health analytics that can help combat these privacy challenges, allowing healthcare organizations to automatically review the millions of accesses that providers make to patient data every day in order to find individuals who are accessing patient information inappropriately and immediately take action to safeguard those patients’ records.
Healthcare must start asking how we can better protect our patients’ data and rebuild trust in our health data privacy and security infrastructure. The questions we should be asking about trust, about our integrity as providers sworn to Hippocratic ideals, and about how we can build a better future for treating our most vulnerable patients. LabCorp’s breach is just one of many examples in which vulnerable patient data has been compromised. What will it cost them as patients, and all of us as a society? Too many patients die each year due to a lack of treatment or appropriate medications - it is our obligation to ensure patients also do not perish from a lack of trust.
*Names and other details have been changed or obscured to protect our patients’ identities