PI Newswire

As the U.S. invests billions of dollars to convert from paper-based medical records to electronic ones, has the time come to offer everyone a unique health-care identification number?

Proponents say universal patient identifiers, or UPIs, deserve a serious look because they are the most efficient way to connect patients to their medical data. They say UPIs not only facilitate information sharing among doctors and guard against needless medical errors, but may also offer a safety advantage in that health records would never again need to be stored alongside financial data like Social Security numbers. UPIs, they say, would both improve care and lower costs.

Privacy activists aren’t buying it. They say that information from medical records already is routinely collected and sold for commercial gain without patient consent and that a health-care ID system would only encourage more of the same. The result, they say, will be more patients losing trust in the system and hiding things from their doctors, resulting in a deterioration in care. They agree that it’s crucial to move medical records into the digital age. But they say it can be done without resorting to universal health IDs.

Read more…

According to the DataLossDB project run by the Open Source Foundation, hundreds of millions of medical records, bank account numbers, names, and addresses were stolen or accidentally leaked in 2011.

RSA
The security division of data storage firm EMC (EMC) was hit by a hack that compromised their popular SecurID cryptographic keys, forcing them to offer replacements to their clients. The stolen information was later used in an attack on defense giant Lockheed Martin (LMT).

Texas Comptroller
A server mistakenly left open to the public contained the Social Security numbers of 3.5 million teachers and other state employees.
No hacking necessary to access this server. The FBI started a criminal investigation.

Sony (SNE)
The conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions. Hackers made off with 77 million names, e-mail addresses and passwords after breaching Sony’s PlayStation network.

Read more…

It was announced recently that nearly 5 million patient records of military personnel were stolen. There was no elaborate hacking, and no technical skill was required on the part of the thieves—some tapes containing these records were stolen from a car belonging to an employee of SAIC who was prosaically transporting them between federal facilities in San Antonio Texas. The data included not only sensitive medical information, including prescription records, but also the names, addresses and Social Security numbers of victims.

Since September 2009, around the world, about 15 million patient records have been purloined, “mislaid,” or otherwise compromised. Most famously, Stanford University Hospital recently announced that the medical records of approximately 20,000 emergency room patients had been posted on a public website for nearly a year. Within a few weeks of that announcement, a class action was filed under the California Confidentiality of Medical Information Act which, like many other state and federal statutes here and abroad, requires safeguards to ensure the privacy of such information. In answering the suit, Stanford illustrated just how many people have access to that sensitive data in the ordinary course of business. Stanford said the information had been securely transmitted to a data collection service; that the collection service had transmitted the data to a graphics company in order to prepare a visual presentation based on the data; and that an employee of the graphics company had improperly posted the information on a website—a breach which managed to go undetected for at least a year. Stanford says it acted appropriately, and intends to defend itself against the lawsuit.

However, even if your data does not get posted on a public website, lots of people can see just how much Xanax you’ve been taking.

In the United States there is currently a major push to digitize all patient records. Similar efforts were undertaken some years ago in the UK and in Australia. About $45 billion of stimulus money was allocated to the effort, accompanied by a persuasive case delineating its benefits: the instant availability of information to doctors, which might well save lives; the elimination of many forests worth of paper records; the ultimate promise of very substantial cost savings; an unprecedented clarity of the information itself (in other words, who could read a doctor’s handwriting anyway?); and best of all, given the state of the economy, the creation of over 200,000 jobs.

Read more…

More than a dozen Canadians have told the Psychiatric Patient Advocate Office in Toronto within the past year that they were blocked from entering the United States after their records of mental illness were shared with the U.S. Department of Homeland Security.

Lois Kamenitz, 65, of Toronto contacted the office last fall, after U.S. customs officials at Pearson International Airport prevented her from boarding a flight to Los Angeles on the basis of her suicide attempt four years earlier.

A decade later, revisiting Sept. 11 Video, photos, features on terror activity, border security and moreKamenitz says she was stopped at customs after showing her passport and asked to go to a secondary screening. There, a Customs and Border Protection officer told Kamenitz that he had information that police had attended her home in 2006.

“I was really perturbed,” Kamenitz says. “I couldn’t figure out what he meant. And then it dawned on me that he was referring to the 911 call my partner made when I attempted suicide.”

Kamenitz says she asked the officer how he had obtained her medical records.

Read more…

Thanks to the US Department of Health and Human Services, you may be able to deter people — or businesses — from rummaging around in your medical information. If a new rule is adopted, you would have the right to obtain a list of all those who accessed your electronic medical records and what they did with the data. The “access report” would be kind of like the credit report that you can get free each year (if you go to the government’s website annualcreditreport.com and not to freecreditreport.com or those other outfits that get you to sign up for expensive and unnecessary credit monitoring services).

Sorry for the digression, but it steams me that credit report companies charge people for what the government provides for nuthin’.

Back to medical records. You may think that they are sacrosanct — and maybe they are if you are attended by one lone physician who keeps everything in paper files that he (or she) locks in the office safe. But these days, most health care providers — doctors, hospitals, labs, insurers, HMOs and so on — feed your data into computer systems that can be invaded by snoopy employees or volunteers who want to know why you’re in the hospital or how you mysteriously lost 97 pounds. In the most heart-breaking instance I can think of, an employee at the UCLA Medical Center in 2008 accessed Farah Fawcett’s medical records without authorization. Information that her rectal cancer had recurred turned up in the National Inquirer before she could give the bad news to her family and friends. Fawcett died a year later.

Data breaches are another problem. In the last couple of years, hundreds of medical institutions have reported wholesale information losses.

Read more…

A new survey finds patients wary of the move to electronic health records and the ability of their healthcare providers to secure them.

During the last week of January, CDW Healthcare surveyed 1,000 U.S. adults who had been to a doctor’s office, a hospital, or an outpatient facility in the past 18 months. What the survey found was a broad cross-section of the American public who were uneasy about the potential security problems associated with the move from paper to electronic records.

Nearly one-half of all respondents believed electronic health records would negatively impact the privacy of their personal information and health data. Patients’ concerns varied from fears their information would wind up on the Internet to cybercriminals using the information to blackmail them or steal their identity. Respondents also worried that if employers gained access to their health information, they could use it to manage their benefits and compensation or to make hiring decisions.

These results came despite patients’ overwhelming trust in healthcare providers to do the right thing with their personal health information.

According to CDW, nearly seven out of ten patients trusted their doctor’s office with their personal information, whereas only one of ten patients trusted their insurance company, the federal government, and their employer to protect their personal information. More noteworthy, 83 percent of patients surveyed said they trusted their doctors to use their information in their best interest.

Read more…

Clearly not all data breach notifications are equal. Case in point is a notice delivered to patients of Seacoast Radiology, after there was a potential breach involving their medical records. However, the servers breached were not hit for their data, they were hit for their bandwidth.

“On January 11, 2011, notification letters were mailed on behalf of Seacoast Radiology to a group of individuals whose medical billing related information was stored on a Seacoast Radiology office server, following the discovery of unauthorized access to that server on November 12, 2010,” an informational website on the breach explains.

There was no credit card data stored on the server. However, the records of just over 230,000 patients were stored there, which is why the notifications were delivered. Seacoast hired ID Experts to help with the PR efforts related to the breach.

According to information from ID Experts, the server contained patient names, Social Security numbers, addresses, and phone numbers, as well as basic medical diagnosis codes and basic procedure codes for billing purposes.

The delay in notification was due to the time it takes “to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, and make the appropriate decisions.”

Read more…

OTTAWA – Prime Minister Stephen Harper acknowledged an outspoken veterans critic was likely the target of character assassination after private medical information about him was widely circulated within the federal bureaucracy.

But the prime minister blamed the privacy breach on the previous Liberal government.

Documents obtained under the Privacy Act by veterans’ advocate Sean Bruyea suggest he was the subject of a smear campaign after a falling out with bureaucrats as they pushed through a major overhaul of veterans benefits in 2005-06.

Harper called the actions “completely unacceptable” but turned aside calls for further investigation, saying the government will co-operate with an existing probe by the federal privacy watchdog.

“The privacy commissioner will receive nothing but the full co-operation of this government to ensure these kinds of things do not happen again,” Harper told the House of Commons on Wednesday.

The New Veterans Charter was an initiative that straddled the transition between Paul Martin’s Liberal government in 2005-2006 and Harper’s Conservatives, who assumed power in late January 2006.

A briefing note prepared for former veterans affairs minister Greg Thompson in March 2006 was laced with private medical and financial information about Bruyea, including a quote from a psychiatrist’s letter.

Privacy experts called it a flagrant breach of the country’s privacy laws and an attempt to destroy the former military intelligence officer’s credibility.

The note was prepared for Thompson in advance of a meeting he had with Bruyea on March 28, 2006.

Read more…

A government authority in Ontario is pushing new regulations to data security encryption for electronic medical records to provide a safer environment for patients in the country.

According to the Canadian Press, former health minister David Caplan is moving forward with an initiative to bolster security on electronic medical records and reduce th service’s cost to patients. Caplan was motivated to pursue the law after two instances of data loss revealed an apparent security flaw in the country’s healthcare sector.

The developments in Canadian law imply a changing environment for health information management. As new laws are released to boost security on patients’ medical information, investing in data-leak prevention can ensure regulatory compliance with government standards implemented to prevent medical data loss.

The law also covers fees for electronic medical records in Canada. Caplan said patients attempting to move their records to a new doctor faced “an enormous fee,” the Canadian Press reports.

Data-leak prevention is becoming more important for healthcare providers in the U.S., as well. Last month, South Shore Hospital in Weymouth, Massachusetts was scrutinized after losing information pertaining to 800,000 patients.

View Source…

The computer printouts included names, addresses, phone numbers and medical records numbers for about 30,000 patients, but no medical information.

The California Department of Public Health is investigating whether the incident violates state and federal laws. Officials were not immediately available for comment.

The breached information appears to require notification to the U.S. Department of Health and Human Services’ Office for Civil Rights. The office publicly lists all breaches of protected health information–which includes names, addresses and medical records numbers, among other information–on a publicly accessible Web site, available here. The janitor was arrested on Sept. 10 and the breach presently is not on the HHS Web site. To access the Times story, click here.

Health Data Management’s Health IT Summit, Nov. 14-16 in Chicago, will include an educational session track on data breach issues. More information is available at healthdatamanagement.com/conferences

View Source…

No Social Security numbers, or specific medical or financial information was released when a Los Angeles County janitor allegedly sold 14 boxes of patient records to a recycling center, officials said Friday.

The Times reported details of the case, including the arrest of Robert Sanders, 55, in Friday’s newspaper. He was charged this week with felony commercial burglary.

The files, which contained the names of 33,000 patients, addresses, phone numbers and medical record numbers, were sold for $40, according to L.A. County Sheriff’s Department spokesman Steve Whitmore.

The privacy breach was discovered in late July when officials at Martin Luther King, Jr. Multi-Service Ambulatory Care Center in Willowbrook discovered files were missing from the facility, according to a news release Friday from county health and Sheriff’s Department officials.

An investigation into the missing files led authorities to Sanders, who was among the custodians questioned about where the files had gone.

“One such employee confessed that he had personally taken the files to a recycling company for its paper value,” according to the news release. “At that time, MLK-MACC referred the matter to the Sheriff who conducted a law enforcement investigation.”

Beginning next week, anyone affected by the breach will be notified by mail, officials said Friday. The letter will contain instructions about steps to take to prevent any potential harm.

“We take patient privacy in this department very seriously,” said Carol Meyer, head of operations for the Department of Health. “Despite measures previously employed by our facilities this unforeseen event occurred. In the wake of this unfortunate incident, we are redoubling our security measures to ensure the safety and integrity of patient information.”

Read more…

Lucile Salter Packard Children’s Hospital at Stanford University has been fined $250,000 by California health officials for failing to report within five days a breach of 532 patient medical records in connection with the apparent theft of a hospital computer by an employee.

Under state law, that amount is the maximum penalty allowed for failing to report such an incident, according to spokesman for the California Department of Public Health, Ralph Montano. The penalty is assessed at the rate of $100 for every day of delayed reporting after the first five days for each patient medical record that was breached, he said.

These failure-to-notify penalties are unique in the country, according to officials for the National Academy for State Health Policy. So far, state health officials have issued more than $1.8 million in fines against 143 hospitals that failed to report an adverse event or breach of a medical record, a wrong-site surgery or a foreign object left inside a surgical patient.

State officials on Thursday released a document, called a “2567,” summarizing the results of the state’s investigation of the Lucile Packard incident. It said an unauthorized hospital employee and her husband, another employee, were observed Jan. 5 in the hospital’s Heart Center removing a computer that contained protected health information on 532 patients.

Read more…