Friday, May 2, 2008

6,000 UCSF patients' data got put online

It seems that I've written about this issue a lot in the past couple of weeks. It's not a good sign when health records keep getting breached...and its the kind of information that is supposed to be protected under federal law. The growing concern over keeping medical information private has largely centered on such companies as Google and Microsoft, who will be privately offering such a data storage service in the near future - but without the legally mandated privacy protections (i.e. HIPAA).

But in this case, we are seeing that concern over one's private medical records transcends simply whether they are supposed to be legally protected or not - but whether they are at all. Just another day in the rapidly evolving world of electronically stored health records.

What's especially disturbing about this story is that it shows how health care institutions are tracking patients and their families for nonmedical reasons...such as that grand old quest for money! As if our "for profit health care system" didn't have enough problems, now we know that our local hospitals, nursing homes and hospices may be tracking us for fundraising, marketing, and advertising opportunities. Yuck...

The San Francisco Chronicle reports on the latest data breach:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft...

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online. The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

The consequences of health care data breaches can be significant, said experts. Sensitive information can be used by employers, health insurers and other entities to discriminate. Additionally, thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research and consumer education group. "To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."


The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes. Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.


In January, California began requiring health care providers to alert consumers if their medical information is breached. Swift notification is considered important so consumers can monitor credit reports and bills. According to Joanne McNabb, chief of the California Office of Privacy Protection, notice should be given "in the most expedient time possible, without unreasonable delay."


"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said. Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
A federal privacy regulation known as HIPAA, the Health Insurance Portability and Accountability Act, sets standards to protect personal health information. Health care entities are allowed, for fundraising activities, to release to business associates - without explicit individual authorization - certain demographic information, such as names, addresses and dates of treatment, but not information about health or health care.


In the UCSF breach, the names of patients treated at four care units were released: chest and pulmonary, vascular surgery, pediatric surgery, and pediatric multiple sclerosis. "It seems they may have released more information than permitted," said Gail Sausser, a HIPAA consultant and adjunct professor of health law at Seattle University's School of Law.

Click here to read the article in its entirety.

No comments: