Crozer was among the latest targets of an increasing number of health-care cyber attacks. Here’s how you can protect yourself.

Data breaches like the one that recently led to some canceled appointments and forced doctors and nurses to use paper medical records at Crozer Health in Delaware County get a great deal of attention as they unfold.

But the long-term impact of such breaches is hard to pin down. It’s virtually impossible to draw a direct line between a specific data breach like the recent one affecting Crozer’s owner, Prospect Medical Holdings Inc., and a particular case of fraud, according cybersecurity experts.

“There are other harms directly related to ransomware attacks against health care facilities — including patient care being put at risk and even patient deaths — but no identity crimes that we are aware of have been tied directly to a ransomware attack against a medical facility or provider,” said James E. Lee, chief operating officer of the Identity Theft Resource Center, a San Diego-based nonprofit that tracks security breaches.

That doesn’t mean anyone whose information was compromised should rest easy, Lee and other experts said. They advised victims to put freezes on their credit files with the three major credit bureaus — Equifax, Experian, and TransUnion — and to change passwords on their Prospect Medical accounts.

» READ MORE: Crozer Health’s computer systems back online after ransomware attack

So far this year, 438 data breaches involving 74 million records were reported by health-care providers and related businesses as of Aug. 22, according the U.S. Department of Health and Human Services. All of last year saw 420 reported incidents involving 38 million records.

This year’s numbers do not yet include the Prospect breach. Federal law allows health systems, including insurers, up to 60 days to notify regulators.

Federal law also requires organizations to notify individuals of data breaches within the same timeframe. Those notices must include a description of the breach, an explanation of the types of information involved, and advice on what individuals should do to protect themselves.

Prospect, a for-profit health system based in Los Angeles, said in a statement that it is taking appropriate measures: “Prospect Medical will provide notifications to individuals whose protected health or personal information is involved, in accordance with applicable laws. Because our investigation is ongoing, we do not have additional information to share at this time.”

The Aug. 3 ransomware attack on Prospect Medical knocked Crozer’s computer systems offline, forcing caregivers to use paper records and delaying the issuance of referrals for specialty care. Some critical-care programs had to divert patients to other hospitals for short periods of time.

Three weeks after the attack, after Prospect had brought its systems back online, a group called Rhysida posted for sale what it claimed were 500,000 medical and other records from Prospect Medical, according to Brett Callow, a threat analyst at Emsisoft, a cybersecurity software company based in New Zealand.

“We are aware that Prospect Medical data was taken by unauthorized actors, the nature of which is being actively examined,” Prospect said in its statement.

Medical records are particularly valuable to criminals because they contain individuals’ ages, addresses, and social security numbers, information security expert Alex Hamerstone said. That information can be used to open fraudulent bank accounts, he said.

Hamerstone, advisory solutions director for TrustedSec, a cybersecurity consulting firm in Fairlawn, Ohio, said people often ask him what they can do to protect their medical records.

“Well, you can’t,” he tells them. “They’re not under your mattress. You can’t put them in a safe. They’re at a hospital somewhere in some kind of electronic records management system. You’re not going to be in an ambulance and ask to be diverted to a place with better data security.”

Robert D’Ovidio, a Drexel University cybersecurity expert, pointed to risks that are specific to health-care providers.

Flexible spending accounts, health savings accounts, and health reimbursement accounts could be integrated with other health records, increasing the risk for theft, said D’Ovidio, an associate professor in the Department of Criminology and Justice Studies.

Those account numbers and passwords should be changed after a breach, he said.

“Once compromised payment accounts have been shut down, people want to monitor statements for the next month or two to make sure they have not been used in the period between the breach and when you actually shut the account down,” he said.