In recurring dreams, people find themselves in a public place, usually a classroom, without a critical piece of clothing — pajamas, trousers, blouse. In a virtual and very real sense, millions have found themselves in a similar nightmare, stripped bare of their privacy when their health information is displayed on the Internet or accessed by someone who does not have the need or right to see it.
One of the most current data breaches came to light this past August when officials of the Stanford Hospital & Clinics in Palo Alto, California, were dismayed to learn that the names, hospital account numbers, dates of treatment, and diagnosis codes of 20,000 emergency department patients were posted online and remained there for nearly a year.
In 2010, Ben Taub General Hospital in Houston ultimately terminated 11 hospital workers when they inappropriately accessed the medical records of a resident who had been shot in a parking lot and rushed to the public hospital's emergency department.
And in September 2011, three employees at Florida Hospital were fired after the records of 2,252 patients who had been seen in emergency departments in three counties after auto crashes were subject to what the hospital chain called “inappropriate access.” The problem came to light after a patient who had been in a car crash complained that she had been contacted by a lawyer referral service.
William Rogers, MD, an Ohio emergency physician and expert on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the American College of Emergency Physicians, said even though these privacy breaches involve thousands of people and advanced technology, the real problem is actually very human: People will make mistakes or do something they should not.
“These kinds of thing happen in all sorts of ways,” said Dr. Rogers. “I don't know how you are going to be able to stop this. You will always have privacy breaches. The legal sanctions are sufficient. There are administrative and civil penalties. Individual institutions are required to help people with possible identity theft. You won't be able to stop this as long as we have humans doing tasks.”
In a report required by the Health Information Technology for Economic and Clinical Health Act, the U.S. Department of Health and Human Services Office of Civil Rights said in 2009 it received 45 reports of breaches involving 500 or more individuals, which had to be coupled with notifying the affected individuals. In the three months that such reports had to be made during 2009, such reports affected 2.4 million people. In 2010, the first full calendar year in which such breaches had to be made public, 5.4 million people were affected by 207 such breaches. In most cases, HHS said the privacy breaches occurred because of human error, theft (when a laptop or thumb drive is stolen), intentional unauthorized access to use or disclose protected health information, and loss of electronic media or paper records containing protected health information.
Human error seems to have been at the heart of the Stanford breach. Hospital spokesman Gary Migdol would not discuss the issue, but referred EMN to a website that laid out the facts. Apparently, a vendor's electronic file that included the Stanford Hospital & Clinics' information was discovered on a website Aug. 22 and removed the next day. An investigation by Stanford found that a vendor, Multi-Specialty Collection Services, LLC, had received encrypted information for permissible business purposes. The collection services company was required by law to protect the patient information in this instance. Multi-Specialty Collection Services decrypted the data, according to the Stanford website, and used it to create a spreadsheet that it provided to an unauthorized person.
That person posted the spreadsheet on a student homework website asking for help in creating a bar graph and charts. When Stanford discovered what had happened, it suspended all work with the outside vendor and demanded that it lock down all patient information. Stanford eventually terminated its relationship with the vendor.
Stanford's investigation found that the person who created the spreadsheet was the hospital and clinic's main contact with Multi-Specialty Collection Services, and was an executive vice president and an independent contractor with the collection service. Information generally associated with identity theft, such as credit card and Social Security numbers, was not published on the website or otherwise breached.
The website noted that Stanford notified appropriate government authorities and is cooperating fully. The hospital and clinic sent letters to affected patients informing them of the breach. While information generally used for identity theft was not compromised, Stanford has made arrangements for affected patients to receive free identity protection services if they wish.
Diane Meyer, the chief privacy officer at Stanford Hospital & Clinics, said in a statement that Stanford will continue to take aggressive action to hold all responsible parties accountable. “We sincerely apologize for the concern this has caused our patients. We value the privacy of patient health information, and are committed to protecting it at all times,” she said. “Our contractors are explicitly required to commit to strong safeguards to protect the confidentiality of our patients' information. We have worked extremely hard to identify all the parties responsible. No hospital staff member was involved in posting the file to the website.”
A possible class action suit in the matter has been filed in Los Angeles. “[Stanford Hospital & Clinics] intends to vigorously defend the lawsuit that has been filed as it acted appropriately, and did not violate the law as claimed in the lawsuit,” the hospital and clinic said in a statement. “SHC takes very seriously its obligation to treat its patient information as private and confidential.”
Dr. Rogers said hospitals have to do due diligence, creating the best methods to protect our data. “We have to have penalties that are real and enforced and show a compliance record. It's just as we do in emergency management,” he said. “We know we are going to get hit. It's important how we mitigate the damage.”
Latest Breach Reveals Celebrity Records
The password to the personal information of 16,288 patients — including Britney Spears, the late Farrah Fawcett, and former California First Lady Maria Shriver — from the UCLA Health System is missing after a home invasion of a former employee. UCLA notified thousands of at-risk patients that an external hard drive containing the encrypted information was stolen in September.
Although the health system said no misuses were reported, the information included names, and may have included birthdates, medical record numbers, addresses, and medical record information. The information did not include Social Security numbers or any financial information, according to an UCLA statement.
“UCLA Health System is reviewing its policies and procedures and will make any necessary revisions to help reduce the likelihood this will happen again, [and] will provide additional education and awareness to its workforce members regarding the appropriate methods for storing patient information,” the statement said.
Earlier this year, UCLA agreed to pay an $865,000 fine and to develop a plan to settle potential HIPAA privacy violations involving improper disclosures of medical records at its three hospitals.
• Read the Health Information Technology for Economic and Clinical Health Act report about data breaches at http://1.usa.gov/Breaches.
• Details of the Stanford breach are available on its website at http://bit.ly/StanfordBreach.
• Direct patients to call (855)731-6016 for assistance with questions about the Stanford breach.
• Read the Los AngelesTimes article about UCLA's HIPAA fine at http://lat.ms/UCLA-HIPAA.
• Read UCLA's statement about its September breach at http://bit.ly/UCLAbreach.
• Comments about this article? Write to EMN at firstname.lastname@example.org.