Medical breaches often get a mention in a local or state paper, but rarely do they make national headlines. Over the past two months, there have been numerous breaches, barely getting a mention, but, when taken as a whole, reveal just how at risk our personal information really is.
In October, a new study was released detailing how electronic medical records puts a patient’s privacy at risk.
According to the October 2009 Ponemon report, Electronic Health Information at
Risk: A Study of IT Practitioners, 80 percent of healthcare organizations
surveyed had experienced at least one incident of lost or stolen electronic
health information in the past year - four percent had more than five patient
data breaches. More than two-thirds of these healthcare organizations had
already digitized at least a quarter of their patient records and a third had
digitized more than half.
According to the report [pdf] , more than 70% of senior management believes that data security and privacy are not a high priority.
Enloe Medical Center in California reported that paperwork that contained patient information went missing from their shredding facility and advised patients to check their medical records.
Hennum said she didn’t know Friday exactly what kind of information could be obtained from the forms. Names and addresses were likely on them, and other items such as Social Security numbers, medical conditions, insurance and Medicare information may also have been recorded.
The original article is now archived and behind a paywall.
A former LPN plead guilty in October to stealing patients’ IDs from a nursing home.
According to court documents, Fowler worked as a nurse at Our Lady of Perpetual Help, a nursing facility in Virginia Beach. From May 2008 to July 2008, Fowler accessed and stole identity information from at least nine residents. She then used the personal identity information to open and modify credit card accounts to make more than $14,000 in purchases using the stolen information. The residents were later reimbursed by the credit card lending institutions.
CalOptima, a Medicaid managed care plan serving 360,000 recipients in Orange County, California has said they potentially lost data on 68,000 of their recipients.
CalOptima’s claims scanning vendor sent the electronic media devices to CalOptima through the U.S. Postal service by certified mail. On Tuesday, October 13, 2009, CalOptima discovered the apparent loss of the devices when the external packaging materials were delivered by the U.S. Postal Service without the box containing the devices. CalOptima immediately initiated an investigation to determine the location of the devices, including the possibility that the separated box containing the devices may have been forwarded by the U.S. Post Office to another U.S. Post Office facility.
A doctor and two hospital employees in Little Rock, Arkansas were also sentenced for HIPAA violations. In Kansas, a pharmacy’s records were found in a garbage dumpster. The records had been tossed there during building renovations. Also in Kansas, Briarcliff Care Center in Topeka reported that employees put documents with personal information on them in a public recycling dumpster. Though the police were called, they aren’t investigating since they deemed no laws had been broken. The Department of Aging, however, is conducting an investigation.
A Milton, Delaware woman was charged with stealing patients identities. Anthem Blue Cross Blue Shield of Connecticut waited two months to notify nearly 19,000 health professionals whose confidential data was on a stolen laptop computer.
Mercy Medical Center in Baltimore, Maryland left an undisclosed number of patient records open to possible identity theft by a former employee. HealthNet lost the medical files of 1.5 million people in Connecticut, Arizona. New York, and New Jersey.
Blue Cross Blue Shield exposed the personal information on 2 million people when they lost 68 hard drives.
“We have confirmed that the hard drives contained encoded data recordings and certain protected health information. They may have included the member’s name and ID number. It may have included the member’s date of birth or Social Security Number.”
Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information — including names, birth dates, Social Security numbers and injuries — that could also be used for identity theft.
A doctor in California stole patient data so she could open up accounts for drugs. A children’s hospital in Philadelphia had a laptop stolen with personal details on 943 people on it. The laptop was in a car at the home of a hospital employee.
The Department of Defense lost track of the medical data questionnaires on 72,000 combat medical records. The Cleveland Clinic is setting up a searchable database of patient information, supposedly with identifying information missing.
This sort of behavior isn’t just limited to the United States. German carmaker, Daimler, was criticized for conducting blood tests on potential employees. The company claims they have been doing it for over 30 years, that the tests are voluntary, and they are not illegal. The company was also criticized earlier in the year for keeping employee medical records at their Mercedes plant in Bremen.
In the United Kingdom, Ashford and St Peter’s Hospitals NHS Trust lost patient data that was kept on USB sticks.
Each of the devices contained the full treatment and full diagnosis history relating to a number of cancer patients. The information on the USB sticks was in Word format - leaving the material easily accessible to anyone with a computer.
Given how US managers don’t feel security and privacy are a real concern, it should come as no surprise that there are those in the UK who feel the same way and want parts of the law revoked [pdf] if they don’t think there is a real concern over breaches. The US health industry is also fighting a similar battle in Washington.
A former drug addict also stole a computer from a clinic was only sentenced to a 12-month community order and ordered to undertake a 12-month drug and rehabilitation order. Despite the fact that his record dates back 30 years, he was told to get his act together and address his drug problem. The UK, again, showed that data security is not taken seriously enough.
The NHS also spent £12.7bn on their e-records scheme only to find out that the confidentiality of hundreds of patients in Hull had been compromised.
A laptop was stolen from an ambulance service in Edinburgh containing details on 600 patients.
Patient records were also on a laptop that was stolen from Guam Memorial Hospital
The Cyber Secure Institute called Wired “profoundly stupid” when Wired felt that we should just forget medical privacy. Although prescription data mining is already happening, we need to stay abreast of what is happening and prevent companies from treating our personal information as if it is just regular trash that doesn’t need to be protected.
In the United States, even when the companies provide identity theft protection and credit monitoring, they are only required to do so for one year. The implications of these breaches reach farther into the future than 12 months. Health care industries need to be more proactive in taking steps to secure their databases and their patents’ information if we are to push ahead into the electronic medical records age.
The very first step these companies can take is to never allow an employee to leave the premises with any laptop that has patient information on it. If they do, then the they and the employee should be criminally responsible and should supply identity theft protection and restoration for life to the affected individuals. There is no reason why a VPN service could not be set up if an employee must take a laptop with them. That way, no patient information would be on the laptop. If the laptop is stolen, the employee would merely need to call it in and the account would be disabled. Also, any employee that leaves a laptop in a car, even for just a minute, should be fired immediately.
These breaches are just the recent ones. How many more are going to happen when we reach 2014 and it is mandated that all medical records be electronic. If we don’t fight to get laws passed now that will protect our privacy, then maybe Wired was right and we can just kiss all of our privacy goodbye.