Uncharted Digital Waters: How Private Are Telehealth Platforms?

Since the start of the pandemic, telehealth platforms have been more necessary than ever. But are they a target for cybercriminals?

Online healthcare is nothing new. For many of us, receiving test results online is common practice—we rarely wait for a phone call from our doctors anymore. Most patient portals (online platforms for doctor-patient communication and storing medical records) were adopted by major healthcare organizations as early as the 1990s. Virtual healthcare has also been around for years, with apps like BetterHelp and Teladoc launching in 2013 and 2005, respectively. 

Yet the need for virtual care increased as the world became more digital. Of course, technology has been a boon throughout the past year and a half. We’ve been able to connect with healthcare providers without leaving the safety of our homes. But as we become simultaneously aware of our privacy—or lack thereof—online, the security of storing sensitive medical data on the internet is called into question. As it turns out, that question is a vital one.

Telehealth during a national emergency 

As digital everything suddenly became the norm, professionals quickly pivoted to new methods of care. Though many of us were already using patient portals like MyChart, virtual visits became a healthcare standard. A hospital in Australia, for example, reported a 2,255% increase (yes, you read that number correctly) in telehealth use for outpatient care at a tertiary hospital over the course of six weeks. 

To account for this kind of expansion in the U.S., the Health Resource and Services Administration (HRSA) made policy tweaks in the favor of any HIPAA-covered healthcare providers. During Covid-19, healthcare providers are exempt from HIPAA violation penalties through telehealth platforms if the violations occur “in good faith”—meaning a HIPAA breach occurred but was unintentional. An example of this type of breach could include a provider accidentally viewing a chart that wasn’t meant for them to see, or inadvertently sharing the wrong protected health information (PHI) like lab results with another provider. 

Healthcare providers have kept us safe and accommodated patient needs during the pandemic, and are likely just as concerned with protecting your medical records as you are. But the influx of information collected in patient portals and increased virtual visits could attract hackers to an already rich database of private records—and little information about the ins and outs of these programs is known to providers and patients alike.

“Some of these platforms are extremely complex and confusing for providers,” a PsyD who preferred to remain anonymous told us. “Despite days of training, we were only aware of a very limited scope used for our specific practice. That said, what was available to other providers and to patients through the portal was not always clear. And with the increased use of centralized electronic health records [EHR], providers seem to have access to a plethora of protected health information that isn’t always necessary for appropriate patient care, and it’s not clear that patients are aware that this information is available to a wide array of providers.” 

Though your provider is unlikely to have nefarious intentions for your medical records, it’s still within your rights to know who is viewing your highly sensitive data—and many portals fail to make this known to both patients and providers. As mentioned above, HIPAA violations can occur unintentionally on the part of a provider; a nurse might accidentally view a patient chart that wasn’t meant for them, or share the wrong PHI. The issue is not with the provider, but rather the likelihood that this inadvertent violation could occur within an online patient portal. HIPAA trek outlines exceptions to HIPAA violations here

Data leaks with mobile and telehealth platforms

Earlier this summer, UW Health in Wisconsin notified over 4,000 patients that an unauthorized third-party had accessed records tied to their Epic MyChart accounts. Currently, 250 million patient charts exist within Epic’s records, representing patients from the U.S. and globally. That number is a #humblebrag for MyChart, but for cybercriminals it’s something to salivate over. 

In 2020, Healthcare IT News reported that MyChart does not require re-authentication in order for patients to share their records. But that is just one of MyChart’s many vulnerabilities when it comes to a potential data breach.

A somewhat convoluted controversy surrounding Epic emerged in 2020. Their current business model uses open application program interfaces (APIs), which allow patients to share their own charts with third-party developers. It also gives patients themselves unfettered access to their own data. When a ruling by the Office of the National Coordinator for Health Information Technology (ONC) tried to improve interoperability for electronic healthcare records and make open APIs for this technology more official, Epic pushed back. Epic’s stance: Sharing patient portals with third-party apps (even if it’s shared by the patient themselves) could lead to misuse of patient info, and these apps should be subject to the same HIPAA standards as Epic and other patient portals. The opposing argument: Epic is only pushing for this so that they can “hold patient data hostage.” 

Yet many healthcare experts argue that open APIs are not the problem when it comes to misuse of patient data. 

Healthleaders Media quoted Harlan Krumholz, MD, SM, saying, “The misuse of patient data is already happening, and it has nothing to do with open APIs.” He continues, “The culprits are health systems and electronic medical record companies. So much data is moving behind people’s backs—in ways that they’re not aware of—and it’s being commercialized without their participation. Deidentified data that can later be reidentified is ‘leaking out of the healthcare systems,’” he says. “I believe the idea that certain electronic health record companies are selling data behind the scenes without the participation of patients is also a problem.”

Another consumer fear is that companies like Epic are collecting data to become the “Google of healthcare”—as genetics testing companies like 23andMe have likewise been suspected of. Though this might not be concerning on an individual level, hoarding massive amounts of personal data could lead to misuse of information on a larger scale, turning patient data over to advertisers for profit. 

This kind of unregulated access to private health information could also end up in the wrong hands—namely, insurance companies. This Vox article looking into 23andMe explains how employers cannot use genetic data to deny you a job under the Genetic Information Nondiscrimination Act, but companies of fewer than 15 people and disability and life insurance companies are not held to the same set of rules. To be clear, there is no evidence that patient portals like MyChart are hoarding and selling your data to third parties, but further understanding, regulation, and monitoring of these entities is vital. 

Why healthcare data is so sought after by cybercriminals 

According to former hacker Alissa Knight, personal health information (PHI) is the most valuable type of data that exists on the dark web. In this study, Knight and Approov looked at 30 mobile healthcare apps to see just how secure they were. Each of them had API vulnerabilities, and all of them were susceptible to Broken Object Level Authorization (BOLA) attacks. This extremely common API vulnerability means that an app does not confirm a user’s privileges to protected information, and is very easy for hackers to exploit once discovered. 

Obtaining medical records could enable someone to impersonate you and even get treatment or prescription drugs. Not to mention the bevy of information that comes with your MyChart or other accounts that are valuable on the dark web or make you vulnerable to phishing attacks: your birthdate, address, family history, and contact information, to name a few.

What you can do

We’re clearly in uncharted waters when it comes to virtual care, and there is a disconnect between the medical world and the tech world in regards to vulnerabilities in healthcare apps and telehealth platforms. Yet with such sought after, highly sensitive information, it raises the question why healthcare organizations aren’t working more closely with platform developers to create a more secure technology. Until then, here is how patients can take matters into their own hands to protect their data:

  1. Take it offline. Online access to our records is convenient, but that doesn’t mean you are required to store everything in one place. Participation in MyChart or another patient portal or telehealth platform is voluntary. Under HIPAA, patients can request their medical records in any format. If you prefer paper records to be mailed to you, your healthcare provider is required to honor that preference. Ask your providers to be transparent about what is shared within your chart. Review Epic’s privacy policy in full here to ensure you’re comfortable with the amount of data that is collected and stored. 
  1. Lock or hide sensitive test results or diagnoses. Not every patient portal has enabled this feature, but some allow you to hide a specific diagnosis from your records and portal. This pediatric EHR platform, PCC, explains how to do this step-by-step
  1. Enable multifactor authentication for patient portals and virtual health apps. Many of us log in to MyChart and other telehealth platforms using just our username and password, but patients can set up two-factor authentication. This page of MyChart’s FAQ section explains how. 
  2. Take action if you suspect a breach of privacy. Just like with any form of identity theft, with medical identity theft, the sooner you act, the better. If you have experienced medical identity theft, this Dashlane article explains your recourse.
    Rachael Roth

    Rachael Roth is a content creator with over a decade of experience in print and digital media. She is a longtime contributing writer for Dashlane's blog and is the Assistant Editor and Copywriter for NYC & Company, New York City’s CVB and marketing organization.

    Read More