Ashley Madison Data Breach – A Lesson for Health IT

Posted on July 28, 2015 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin is a true believer in #HealthIT, social media and empowered patients. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He currently leads the marketing efforts for @PatientPrompt, a Stericycle product. Colin’s Twitter handle is: @Colin_Hung

The recent hack of the Ashley Madison, Cougar Life and Established Men infidelity/hookup websites has been front page news. Overnight the lives of 50 million site members (pun intended) were potentially stolen by a hacker group calling itself “The Impact Team”. The Washington Post and CNBC have great articles on the details of the hack.

As the story unfolded I became more and more fascinated, not because of the scandalous nature of the data, but because I believe this hack is a lesson for all of us that work in #HealthIT.

The value of the data that is held in EHRs and other health apps is somewhat debatable. There have been claims that a single health record is worth 10-200 times more than credit card data on the black market. The higher value is due to the potential access to prescription medications and/or the potential to use health data to commit Medicare fraud. A recent NPR post indicates that the value of a single patient’s record is approximately $470 but there is not a lot of strong evidence to support this valuation (see John Lynn’s post on this topic here).

While $470 may seem like a lot, I believe that for many patients, the reputational value of their health data is far higher. Suppose, for example you were a patient at a behavioral health clinic. You have kept your treatment secret. No one in your family or your employer know about it. Now suppose that your clinic’s EHR was breached and a hacker asked you for $470 to keep your data from being posted to the Internet. I think many would seriously consider forking over the cash.

To me this hypothetical healthcare situation is analogous to what happened with Ashley Madison. The membership data itself likely has little intrinsic value (even credit card data is only worth a few dollars). HOWEVER, the reputational value of this data is extremely high. The disruption and damage to the lives of Ashley Madison customers is enormous (though some say well deserved).

The fall-out for the company behind Ashley Madison (Avid Life Media – a Canadian company) will also be severe. They have completely lost the trust of their customers and I do not believe that any amount of market spin or heart-felt apology will be enough to save them from financial ruin.

I believe what Avid Life Media is going through is what most small-medium sized clinics and #HealthIT vendors would face if all their patient data was exposed. Patients would utterly lose faith and take their business elsewhere (though admittedly that might be a little harder if other clinic choices were not covered by your insurance). Even if the organization could afford the HHS Office for Civil Rights fines for the data breach, the impact of lost patients and lost trust would be more devastating.

With the number of health data breaches increasing, how long before healthcare has its own version of Ashley Madison? We need to do more to protect patient data, it can no longer be an after-thought. Data security and privacy need to be part of the design process of software and of healthcare organizations.

Life’s short. Secure your data!