Russian Hackers Breach Health Records of US Olympians

Article by Mary Butler. This article was originally published on the Journal of AHIMA website on September 23, 2016 and is republished here with permission.

The breach of Olympic athletes’ medical records by Russian hackers this week again demonstrates the vulnerability of protected health information and the extent to which it is viewed as a target by criminals.

The World Anti-Doping Agency (WADA) on Tuesday confirmed that the Russian cyberespionage group Fancy Bear penetrated the WADA athlete database and then published the medical records of American athletes including gymnast Simone Biles, tennis stars Venus and Serena Williams, and basketball player Elena Delle Donne. Those athletes were targeted because their records indicate that they were taking substances that can be considered performance enhancing. However, the records also showed that these athletes had been granted “therapeutic-use exemptions,” which means they were being treated for legitimate medical conditions with the medications cited.

Fancy Bear is the same organization that American officials believe to be behind the hacks of the Democratic National Committee earlier this summer. It was widely reported, prior to the beginning of the Olympics, that much of the Russian Olympic team was banned from competition due to an extensive government-ordered doping program, the Boston Globe reported.

According to a report by the BBC, WADA officials believe their systems were compromised through a hacking technique known as “spearphishing.” Under this method, hackers create spoof domains so that e-mail recipients believe they’re reading an e-mail from their own organization, and are then tricked into clicking on malicious links via e-mail. This allows hackers to infiltrate an organization’s files.

AHIMA’s Angela Rose, MHA, RHIA, CHPA, FAHIMA, a director of HIM practice excellence, notes that while this incident is “an absolute breach of privacy and security,” it is not a violation under HIPAA because WADA is not considered a covered entity. Only healthcare providers, business associates, health plans, and clearinghouses are considered covered entities under HIPAA.

The affected athletes appear to be taking this violation in stride, with Simone Biles issuing her own brave rebuttal on social media.

And in a Facebook poste, Donne wrote: “Side note: I’d like to thank the hackers for making the world aware that I legally take a prescription for a condition I’ve been diagnosed with, which WADA granted me an exemption for. Thanks, guys!”