Mental Health with Regards to HIPAA week #11 post

The last topic I want to discuss relates to mental health with respect to the HIPAA rules and regulations. Mental health has been a popular topic in the news. Any time there is a mass shooting there seems to be talk about the lack of mental health issues. Or people ask were there mental issues related to the incident. Or another question you tend to hear relates to actual discussions with the therapist. People may wonder “what I cansay without other people finding out?”. This always made me wonder with regards to HIPAA, what can be released by mental health professionals. According to U.S. Department of Health and Human Services the privacy rule applies to all protected health information. They do make an exception with regards to psychotherapy notes. 

“The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.  Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.” (U.S. Department of Health & Human Services, 2014)

This means that the mental health provider must get a patient’s permission to release information. There is one exception, and that is in the judgement of the provider whether or not to release information. This would include if a patient is about to harm himself or others or mandatory abuse reporting. 

Release without patient approval is solely based on the judgement of the doctor as to whether or not they feel as though the patient is a threat to ones’ self or others. 

Something else that comes into play are state laws with regards to PHI information. “The privacy regulations do not preempt state law that is ‘more stringent than’ federal law.” (Malek & Krex, 2002). This is something that mental health care providers must also take into account when dealing with patient notes.

For the most part federal law maintains the same privacy with regards to mental and health records. The difference is with the notes the mental health provider keeps. They contain no info related to medical treatment, just notes about the actual therapy sessions. This should make patients feel safer to open up and talk about their issues, thus allowing them to get the help and care they need without judgement. 

References

Malek, L. A., & Krex, B. (2002, November). HIPAA and Mental Health Information: Know the law. Retrieved from AHIMA: http://bok.ahima.org/doc?oid=58560

U.S. Department of Health & Human Services. (2014, February 20). HIPAA Privacy Rule and Sharing Information Related to Mental Health. Retrieved from HHS.gov: https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/

'WannaCry' ransomware damages UK National Health Services organizations ability to conduct business Week #10 Blog Post

This blog is going to focus on an incident last week that provides an example of some things that I have talked about in previous blogs. A ransomware attack, “WannaCry”, hit Friday afternoon and spread rapidly. One of the groups affected by this was the National Health Service organizations in the UK. The ransomware is malware that affects a vulnerability in Windows XP or Windows Server 2003. Both of these are operating systems that Microsoft had stopped supporting. So what exactly does this do?

WannaCry gets passed through emails or fake ads. It creates encrypted copies of files on the victim's computer, and deletes the originals, leaving the victim with only the encrypted copies, which cannot be accessed without a decryption key (Curtis, 2017). It then demands a ransom, which has been small thus far, in the $300-$600 range. This caused major issues with the NHS.

Barts health NHS Trust In London had to cancel routine appointments and ambulances were diverted to other hospitals. It also affected their referral system. It recommends patients for treatment with specialists and cancels the treatment if the referral isn’t made within two weeks (Veselinovic & Hilary, 2017). Organizations were not able to access any health records. In fact Dr Emma Fardon told the BBC that they couldn’t tell what drugs patients were on and what allergies they had (Health, 2017). So why did this happen and could it have been prevented?

Microsoft knew of the vulnerability and actually released a patch for it in March (Graham, 2017). Unfortunately, many people do not regularly update their software as recommended. For example, whenever I turn on my computer the first thing I do is update my Anti-virus software, and then check for updates from Microsoft. Thus, my system was protected from this exploit. Another issue that affected the hospitals however was that many of them are using outdated software; software that Microsoft no longer updates. Microsoft, however is pushing out updates to older systems to prevent spreading to older systems (Johnson, 2017). This issue in part addresses my previous blog, the fact that the health community doesn’t have adequate training and resources to operate securely. The most important thing to prevent this was to update the software in the first place. This, however, requires funding since systems must be maintained including switching from Windows XP or 2003 to the current OS, Microsoft 10.

What this incident shows is that governments need to invest more resources into healthcare, in particular, with regards to the IT aspect. Look at how much damage this incident has created, rerouting ambulances, preventing access to patients’ records, and preventing referrals. All of these impacts can cause people their lives.

References

Curtis, S. (2017, May 15). Who is behind the WannaCry ransomware attack crippling NHS hospital trusts across the UK? Retrieved from Mirror: http://www.mirror.co.uk/tech/who-behind-nhs-cyber-ransomware-10410865

Graham, C. (2017, May 13). NHS cyber attack: Everything you need to know about 'biggest ransomware' offensice in history. Retrieved from The Telegraph: http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/

Health. (2017, May 13). NHS cyber-attack: GPs and hospitals hit by ransomware. Retrieved from BBC: http://www.bbc.com/news/health-39899646

Johnson, A. (2017, May 15). 'WannaCry' Malware Attack Could Just Be Getting Started: Experts. Retrieved from NBC News: http://www.nbcnews.com/news/us-news/blockbuster-wannacry-malware-could-just-be-getting-started-experts-n759356

Veselinovic, M., & Hilary, M. (2017, May 12). UK prime minister: Ransomware attack has gone global. Retrieved from CNN: http://www.cnn.com/2017/05/12/health/uk-nhs-cyber-attack/index.html

Lack of Cybersecurity Personnel in the Healthcare Industry Week 9 post

With the emergence of the cyber threats to medical providers, you would think that hiring employees with cybersecurity skills would be plentiful. However, according to ISACA Chief Innovation Officer Frank Schettini, there is a huge skills gap. He “found that nearly one in three organizations take six months or more to fill an open cybersecurity role. Additionally, 37 percent of organizations said that basically 1 in 4 candidates are qualified.” (Schettini as quoted in Snell, 2017). In fact looking at the chart below you can see that most cybersecurity jobs are being posted in the professional, scientific, and technical field.

Figure 1. Cybersecurity Jobs posted in 2014. Retrieved from: http://www.modernhealthcare.com/article/20151024/MAGAZINE/310249962

Right now there is a large job market for cybersecurity workers, thus it makes sense that not only healthcare, but all markets are finding it hard to find employees. “The supply is 10% of the demand—from the Defense Department to banks to cybersecurity companies.” (Inbar as quoted in Conn, 2015). “Demand is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million” (Brown as quoted in Morgan, 2016).

That is why ISACA created the Cybersecurity Nexus Training Platform. They created it in order to assist employees gain that technical on hands training. Of course they are not the only source of training, but this is one example in which healthcare can aid in making sure they are ensuring security of their information and information systems. With the shortfall of skilled employees as the previous paragraph highlighted, organizations must take matters into their own hands to ensure their staff is trained as much and as feasible as possible. Establishing policy and training to cover the basics would be a huge asset to every organization. Until supply meets demand, hospitals and medical companies must be doing everything in their power to ensure their employees know how to protect valuable information.

References:

Conn, J. (2015). Healthcare struggles to recruit top cybersecurity pros. Retrieved from: http://www.modernhealthcare.com/article/20151024/MAGAZINE/310249962

Morgan, S. (2016). One Million Cybersecurity Job Openings In 2016. Retrieved from: https://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#277bf10d27ea

Snell, E. (2017). Addressing the Cybersecurity Skills Gap with Improved Training. Retrieved from: http://healthitsecurity.com/news/addressing-the-cybersecurity-skills-gap-with-improved-training

Interoperability in the Healthcare Network Blog Post Week 8

This week I am going to focus on interoperability. Currently this is a big issue not just for health care as a whole but including the armed forces. “Interoperability means the ability of health information systems to work together within and across organizational boundaries in order to advance the effective delivery of healthcare for individuals and communities.”(Healthcare Information and Management System Society, 2017). Basically, different systems need to be able to communicate to each other. Say for example you visit a hospital in Florida, and then later in the year you go to a hospital in Nebraska that is on a different healthcare network, there needs to be a system in place that can allow the Nebraska hospital to pull those records.

Interoperability is not easy. The Office of the National Coordinator for Health Information Technology (ONC), created an interoperability roadmap in 2015. This April, they released a proposed interoperability standards measurement framework and are requesting feedback “to evaluate progress so far by healthcare sector stakeholders - including health IT vendors, healthcare providers and health information exchange organizations - in implementing and using standards facilitating health information exchange now that electronic health record use is widespread.” (McGee, M. 2017). Being able to do create interoperability makes access to patients’ records for healthcare much simpler.

The ONC is also creating a competition to create an algorithm for patient matching. Patient matching describe the techniques used to match the data about you held by one health care provider with the data about you held by another (or many others). (Posnack, S. 2017). They are awarding 6 cash prizes worth a total of $75,000. First place would gather $25,000. If you are interested you can enter at: https://www.patientmatchingchallenge.com/challenge-information/challenge-details.

Interoperability is a must. In the military you need all services to be able to communicate with each other. The same should apply to medical records in my opinion. With that being said it does bring another risk to security. By gaining access to one network, the perpetrator would be able to access any medical information from anywhere. In my opinion though, the benefit of having an interoperable healthcare network is much greater than the risk of compromise.

References:

Healthcare Information and Management System Society. (2017). Retrieved from: http://www.himss.org/library/interoperability-standards/what-is-interoperability

McGee, M. (2017). ONC Seeks Help Measuring Interoperability Progress. Retrieved from: http://www.healthcareinfosecurity.com/onc-seeks-help-measuring-interoperability-progress-a-9879

 Posnack, S. (2017). Demystifying Patient Matching Algorithms. Retrieved from: https://www.healthit.gov/buzz-blog/interoperability/demystifying-patient-matching-algorithms/

Medical Device Hacking Blog Post Week 7

So I came across an article a while ago discussing something that I never even thought could happen in my wildest dreams. Medical devices being hacked. In this particular case it was heart devices that were being hacked. “St. Jude’s devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. Implanted under the skin of the chest, the devices electronically pace heartbeats and shock the heart back to its normal rhythm when dangerous pumping patterns are detected.” (Abdollah, T. & Perrone, M., 2017).  With technology becoming more advanced and creeping into the health system there are more vulnerabilities than ever. In this case live medical information about a patient that a hacker can actively hack. They could turn off the device, shock a patient when not needed, and drain the battery life. All of which can have deadly impacts. In this case there was no evidence of this happening. St. Jude’s provided the patches to the system to keep this from happening.

However, this is not the only case. According to James Niccolai (2015), “Thousands of medical devices, including MRI scanners, x-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients”. This was also shown when Jay Radcliffe, a diabetic and security expert, was able to hack his own insulin pump. (Leitner, T. & Capitanini, L., 2014). According to Darlene Storm (2015), a deception-based company, TrapX, found compromises to X-ray equipment, photo archives, communications systems, and blood gas analyzers. This personally worries me. As someone could hack a system and change my medicine dosage without my notice. I would hope the pharmacist would catch something like that. However, think about how many times you have been to the hospital to get an X-ray or any medical procedure where the device itself is connected directly to the network.

The worst part of this example is we as patients can do nothing about it. Even if you prevent the doctor sharing your information electronically, the equipment itself is still a source to be hacked. Hopefully, medical device manufacturers pay more attention to the security of their products as they become more and more advanced.

References:

Abdollah, T. & Perrone, M. (2017, January 10). US warns of unusual cybersecurity flaw in heart devices. Retrieved from: http://bigstory.ap.org/article/dc914628d99140a391b8050e571aae05/us-warns-unusual-cybersecurity-flaw-heart-devices

Leitner, T. & Capitanini, L. (2014). Medical Devices Vulnerable to Hack Attacks. Retrieved from: http://www.nbcchicago.com/investigations/Medical-Devices-Vulnerable-to-Hack-Attacks-277538441.html

Niccolai, J. (2015). Thousands of medical devices are vulnerable to hacking, security researchers say. PCWorld. Retrieved from: http://www.pcworld.com/article/2987813/thousands-of-medical-devices-are-vulnerable-to-hacking-security-researchers-say.html

Storm, D. (2015). MEDJACK: Hackers hijacking medical devices to create backdoors in hospital networks. Retrieved from ComputerWorld: http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html

Organ Procurement Organizations with Regard to HIPAA Week #6 Blog

This blog is going to contain much more of my opinion than previous blog posts. I was looking for something to write about, and came across a story about HIPAA with regards to Organ Procurement Organizations (OPO). (Healthitsecurity). An ex-employee, Patrick McHahon, claimed that the New York Organ Donor Network, Inc. had removed patient organs before the patients were clinically dead. He claimed he was fired because he "blew the whistle". The company claimed he was fired due to poor performance. Part of Mr. McMahon's evidence he claimed were evident in the patient's case files which showed the patients were still alive. He was requesting the release of the records to prove his case to which the OPO stated due to confidentiality they could not release the records. They also stated that though the organizations are not covered by HIPAA, they need to maintain the patients' confidentiality since they signed memorandums of understanding (MUO) with the hospitals so they can retrieve pertinent information to help the organ donor process. If they released the records "it would defeat the purpose of HIPAA if it were required to comply with plaintiff's request" (McHahon V. New York Organ Donor Network, Inc. 2016). In this case the plaintiff won the case with the court stating that since it is not a HIPAA covered entity it must turn over the records.

This led to me thinking as to why they are not HIPAA protected. First, how can a hospital release records to an entity not covered under HIPAA? This is a little easier to understand. In order for an organ donor group to do its job, it needs vital information about a patient to make sure that the organ goes into a viable recipient. Having to wait for an authorization from a family member would waste valuable time since some organs are only vital for so long. This part makes sense and I completely agree with this. I think this is why you annotate you are on organ donor on your ID. This lets hospitals know they already have your approval.

So why aren't organ donors covered under HIPAA then? This isn't covered too well. From what I have read basically it comes down with the need for them to know the information to do their job. They can also share information with the donor family such as the age, health, gender, and sex of the recipient. With HIPAA they might not be able to provide that information to the donor. This can help the donors feel a little better knowing general info about who is being helped. It could also cause issues though if the OPO started discussing non health pertinent information as it may make the family more reluctant to donate if the recipient were a different religion for example. This is where I am conflicted myself. For myself, I am an organ donor, so I authorize anyone to use my organs. However, someone who may have to decide for another family member may feel reassured it is going to someone who needs it. By making an OPO a protected entity they could not give that information without the recipient family's allowance which may make the family doing the donation more reluctant to donate. Also by having to wait for the recipient's approval you are adding more delay to the process. For example, if the recipient has to say yes then the information is provided to the donor, who then says no, valuable time was just wasted.

With all that being said I agree with the court's ruling that the medical records should be allowed. A health care provider may use or disclose information if and as required by law (42 CFR § 482.45). I believe in a matter of law no information should be kept private, if it is strictly used for purpose of the case and only parts that are required. I.e. in this case only the pertinent info at the time of the patient's death.

References:

Condition of Participation: Organ, Tissue, and Eye Procurement. (2013). 42 CFR § 482.45.

Health IT Security (2017). Judge Says HIPAA Regulations Do Not Apply in Organ Donor Case. Retrieved from: http://healthitsecurity.com/news/judge-says-hipaa-regulations-do-not-apply-in-organ-donor-case

McMahon v. New York Organ Donor Network, Inc. (2016). New York Supreme Court Op 32707. Retrieved from: http://nycourts.gov/reporter/pdfs/2016/2016_32707.pdf

HIPAA with Regards to Health Applications Week #5

                So lately I have been using the MyFitnessPal app to track my diet. I am using it more for the fact that I need to monitor my protein intake since I have been running so much. This got me thinking, I see so many healthcare apps and see doctors using apps on iPads, notebooks, or other electronic devices while they are assisting patients. These apps obviously make it easier for doctors/nurses/techs to do their jobs. Yet they also can lead to HIPAA violations. Companies must take a lot into account when building an app. “It is important to consider the legal implications early on in the design stage...”(Savage, L. & Caton-Peters, 2016). In fact, the Office of the National Coordinator for Health Information Technology (ONC) collaborated with the Federal Trade Commission (FTC), the Food and Drug Administration (FDA) and the HHS Office for Civil Rights (OCR) created a site for app developers to figure out which laws may apply to them: https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/educating-health-app-developers-regulatory-requirements/. “This interactive tool helps guide developers through a short assessment of their app with a series of questions about the nature of the app, including its function, the data it collects, and the services it provides to its users” (Savage L. 2017).

                This is a valuable tool for app developers. It will provide guidance and instruction as to what they can and cannot do with apps. This also can improve security as developers will be much more hesitant to include certain data types knowing the implications they could be facing. At the same time, users must be cautious of what they put on the apps. I have seen several people post their personal health information online. That data is not HIPAA protected since you are providing the information. Users must be just as responsible when using health apps. Make sure you read the small print, knowing what info could/could not be shared.

References:

Savage, L. & Caton-Peters, H. (2016). Educating Health App Developers about Regulatory Requirements. Retrieved from: https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/educating-health-app-developers-regulatory-requirements/

Health IT Security. (2017). Mobile Security Strategies for Common Provider Concerns. Retrieved from: http://healthitsecurity.com/news/mobile-security-strategies-for-common-provider-concerns

HIPAA Compliance Penalties Week #4 Blog

 Last week I discussed HIPAA compliance. This week I wanted to discuss the penalties for not complying with HIPAA. When a data breach occurs it is up to the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). The first thing to know is what constitutes a breach. A Breach means “the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual.” (Eisen, J. & Gulick, S., 2012). When looking at an incident some things need to be taken into account. This include person involved including person(s) that disclosed it and received it, type and amount of PHI involved, was the PHI actually viewed or acquired, and determine the extent of mitigation. (Health IT Security). There are some exceptions to this, i.e. if an employee happens to open and view an email sent to them as an accident, if they are cleared to see PHI info, or if there is no way data could be retained long enough to  do any damage.

                So assuming you have a breach, what penalties exist? For most penalties there are fines involved and depending on the severity, this can include jail time. According to the American Medical Association fines can range from $100 to an unknowing offense to $50,000 per violation when there was willful neglect (See image below). Jail time could also be included. If there was a knowingly release you can be imprisoned for up to 1 year, if it is under false pretenses it could be up to 5, and if intending to sell or use for advantage then it can be up to 10 years.

Figure 1 American Medical Association

Think about the monetary aspect alone, if it is an unknowingly breach it is $100 per violation. So if you have 100 violations you are already on the hook for $10,000. You can see how the cost could rack up quickly.  This monetary impact is enough to make sure that hospitals remain HIPAA compliant. I personally don’t know if these penalties the offenders receive is any benefit to me if it is my information that is stolen, except the fact that there would be more care taken (at least I would hope). On top of this, the organization that caused the breach could also face litigation from the people whose information was stolen. Thus there is a major benefit in maintaining compliance.

References:

American Medical Association. HIPAA Violations & Enforcement. Retrieved from: https://www.ama-assn.org/practice-management/hipaa-violations-enforcement

Eisen, J. & Gulick, S. (2012). What is a Breach Under the HITECH Breach Notification Regulations? ABA HEALTH eSOURCE, 8(9). Retrieved from: https://www.americanbar.org/content/newsletter/publications/aba_health_esource_home/aba_health_law_esource_0512_eisen.html

HIPAA Compliance Week #3 Blog Post

Reading about all these data breaches has made me wonder, exactly how do hospitals, clinics, insurance agencies, or any other place that handles electronic information. In other words, how do they prove they are in compliance? The 1996 Health Insurance Portability and Accountability Act (HIPAA) mandates rules and regulations to protect patients’ information. There are two separate rules for this. The first rule is the HIPAA Security Rule which states that “standards that must be applied to safeguard and protect ePHI when it is at rest and in transit” (HIPAA Journal). The second is the HIPAA Privacy Rule, which just “governs how ePHI can be used disclosed” (HIPAA Journal). The first rule can be broken into three parts: technical, physical, and administrative safeguards”

                

So just how do covered entities become compliant. The US Department of Health and Human Services Office for Civil Rights (OCR) is responsible for tracking compliance. The covered entities are held responsible for their compliance, as there is no compliance certification process. Covered entities just need to make sure they have procedures and policies in place, have a security rule assessment, make sure they properly training employees, and document. However OCR can and has begun audits on covered entities.

 Healthsecurity.com provided an example of what this audit looks like. A company Night Nurse had an audit conducted against them. It covered the three phases mentioned above. There were over 400 questions. “The questions required everything from base descriptions of our services and procedures to in-depth descriptions of each technical component of our system infrastructure…the report also required a vulnerability assessment for each technology component, and how these risks were mitigated.” (Pologe, 2017). The second part was an on-site physical inspection to assess physical security. They also conducted hacking attempts to get into the systems. The third and final part was about remediation. They had to provide prove of compliance that they were at risk for.

Reading about these audits belay my fears a little bit knowing that the covered entities are being audited to ensure compliance. Though I think it is safe to believe that not every program is audited every year. I do feel safer about my health records being stored electronically. I also feel like it is safer at a larger hospital since these seem like the most likely to be audited.

References

Snell, E. (2017). Preparing for an OCR HIPAA Risk Assessment Audit. Retrieved from: http://healthitsecurity.com/news/preparing-for-an-ocr-hipaa-risk-assessment-audit

HIPAA Journal. HIPAA Compliance Checklist. Retrieved from: http://www.hipaajournal.com/hipaa-compliance-checklist/

Ransomware attacks against medical records Week #2 Post

So while looking for interesting health field issues going on, I found one article reporting recent ransomware attacks against health services. A ransomware attack is a software attack in which information is stolen and returned after a sum of money has been returned. One of the places, Metropolitan Urology (http://healthitsecurity.com/news/metropolitan-urology-ransomware-attack-affects-18k-patients) , actually experienced that attacks in 2006. They didn't even become aware of the incident until January of 2017. Think about that for a second, it took them 11 years before they realized that they had become aware of the incident. This made me think of my data that was possibly compromised. It took them a long time to find out that the data may have been compromised. This made me wonder why it took that long to discover the issue.

One of the reasons I have found was that little of the attacks actually disrupt their network, They do get notifications of potential issues but they receive so many it is hard for the companies to sort through them all. In fact "According to Verizon, 66 percent of breaches take months of even years to detect" (Thompson, 2017). That thought bothers me quite a bit. My data could be held out there being stolen without it being discovered until it could be too late.

The other vendor, Summit Reinsurances Services, was also a victim of ransomware. It this case several other medical companies used that vendor and all of those companies had to notify their patients of the potential breaches. I may touch on 3rd party vendors with regards to healthcare in a later blog.

Ransomware can definitely cause several issues in the healthcare field. Again, you have so much valuable information in those medical files that the cost to retrieve that information could be high. Not only that, but there is no guarantee you get your data back, or that the criminal doesn't sell it for profit anyways.

References:

Thompson, M. (2017). You Had an Ongoing Data Breach for Months. How Could You Not Know?. Retrieved from: https://www.business.com/articles/data-security-breach-why-they-go-unnoticed/

Even Medical Records Can Be Hacked

More and more personal information is being kept online. There are several benefits for this. Primarily it makes it easier for your health information to be available to other doctors and hospitals quickly. If something were to happen while you were in a separate state the hospital you are at can get your medical records quickly to see any possible allergies or complications you may have had in the past. However, as there are benefits, there is also a pretty big negative: security.

I had my hospital information potentially stolen. I attended Texas A&M during 2006-2008. In 2007, I was admitted to the hospital. I had never thought about my information being in jeopardy when I was admitted. In 2010, I received a letter from the hospital that my information may have been compromised in a hack of the system. They could not be sure what information had been stolen The first thought that occurred to me is what type of information could they had stolen. Medical records contain social security numbers, home addresses and obviously medical history.

This forced me to watch my credit reports to make sure that no one had stolen my identity. This made me think as to how much of a problem this is. In fact, doing some research I found an article: http://www.computerworld.com/article/3090566/healthcare-it/hackers-are-coming-for-your-healthcare-records-heres-why.html showing just how often these breaches can occur. In the article there was this image attached:

As you can see, the compromise of medical information has steadily been growing. More emphasis needs to be placed on protecting medical data to prevent valuable information being stolen.