Friday, May 30, 2008

Senate bill OKs druggists' sharing patient files read it correctly. The California Senate suddenly changed their tune, and this drug marketing firm sponsored bill garnered four more votes than it did last week, and sadly WON 21-16.

As the past two posts have pointed out, the legislation allows the sharing and selling of a patients confidential medical information regarding prescription drugs among pharmacies, third party corporations and pharmaceutical companies without the patient’s consent.

Or in other words, California consumers and the right to privacy explicit in our State Constitution lost and big business won. Under this bill, an individual’s private medical prescriptions become commodities to be marketed and sold for the purpose of increasing corporate profit, not improving public health.

Let's remember, drug companies are interested in acquiring every bit of personally identifiable information about patients in order to market their products directly to them. SB 1096 does not require the third party mailer to remove or encrypt personally identifiable patient information – such as a social security number - that it shares with the pharmaceutical company. If information aggregators get access to this data they could then track down such things as your credit and bank account information – a jackpot for company marketers, insurers, hackers, and identity thieves.

A few clips from the San Francisco Chronicle's short follow up article:

"This bill will provide public benefits that will help people live healthier lives," Caleron said.

But critics say the legislation violates patient privacy rights and opens the door for medical identity theft.

"There is nothing more private than our personal medical records, but this bill would let drug companies peek in our medicine cabinet to boost their profit," said Jerry Flanagan of Consumer Watchdog. "Once private medical information is transferred electronically, it is vulnerable to theft, accidental leaks and misuse."

Calderon amended the bill after a 17-17 defeat on the Senate floor last week to allow patients to opt out from mailings when they pick up prescriptions.

The bottom line is that SB 1096 gives drug marketing and pharmaceutical companies exactly what they want: a way to increase customer allegiance to their particular brand name through direct mail. In contrast, consumers’ right to privacy is undercut, their identities are more likely to be stolen, and increasing amounts of junk will fill their mail boxes.

The bill’s author, Senator Ron Calderon - who has received $21,690 from drug companies and other bill beneficiaries – added the “opt-out” amendment to appease those with privacy concerns. Whether this was responsible for the sudden turnaround in the Senate is still unknown. However, consumer and privacy protection groups opposing the bill were not swayed.

Opt-out provisions are designed to put the burden on the patient rather than the company looking to profit off them. The fact is a patient’s medical records could initially still be shared without them having given their informed consent to do so. Under “opt-in”, a critical principle of privacy protection is upheld: before a person’s medical records are sold or shared, they must give prior consent to do so.”

Now the bill moves to the Assembly...I'll keep you informed as to its progress.

Wednesday, May 28, 2008

Bill would let pharmacies sell medical records

I thought I should briefly follow up on the coverage SB 1096 is receiving, as its ramifcations for individual privacy, particularly of ones medical records, are signficant.

The article in the San Francisco also featured my take on the bill:

The legislation would allow pharmaceutical firms to send mailings directly to patients. Supporters of the proposal say the intent is to remind patients to take their medicine and order refills. But consumer privacy advocates are outraged.

"This bill would be a windfall for corporations seeking to track, buy and sell a patient's private medical records," said Zack Kaldveer, spokesman for the Consumer Federation of California. "This would represent a significant intrusion by pharmaceutical companies into the privacy of patients.

"By opening this Pandora's box, consumers could wind up receiving mailings designed to look as if they came from the pharmacy yet conflict with what their pharmacist or doctor has recommended. Such a scenario would be a threat to their health."


A primary backer of the bill is Adheris Inc, a subsidiary of a drug marketing company that was sued several years ago under its former name for privacy violations. Adheris is involved in a pending class-action lawsuit in San Diego involving the same issues in the Calderon bill. California has one of the nation's strongest medical privacy laws. Under the Confidentiality of Medical Information Act, direct mail marketing to patients by pharmaceutical firms is not permitted.

The bill is coming up for a second vote in the Senate on Thursday, with an amendment that allows an "opt-out" option for consumers. Of course, as anyone that cares about privacy issues knows, opt-out is not sufficient, it must ALWAYS BE, particularly when it comes to ones private medical records, an opt-in provision.

Think about it. "Opting-out" of the program rather than requiring businesses to obtain the informed and affirmative consent of the patient before sharing their private medical records is just another way to place the burden on consumers. Allowing us to opt-out only after our privacy has been violated is no solution. Under opt-in, the consumer is in control of their medical records, and no business can share them unless WE give them permission.

Consumers should have the right to expect their private medical records will be held in confidence by their doctors and pharmacists. Without giving people the right to decide whether their private information can be shared and sold, the confidentiality central to the trust that develops between a patient and his or her doctor is undermined. This in turn could make patients more reluctant to give doctors the information they need to provide optimum care.

Further, the last thing today's consumer needs is MORE junk mail, or a law that increases the likelihood his or her identity could be stolen and his or her right to privacy be violated just so multi billion dollar corporations can increase their profit margins.

If the California legislature wants to honestly and effectively address the health needs of the people they should focus their efforts on making health insurance more affordable and lowering the cost of prescription drugs.

Click here to read the article in its entirety.

Friday, May 23, 2008

Senate rejects bill to allow drug marketing firms access to patient medical records without consent

I'm just going to post the entire press release I wrote regarding yesterday's (temporary) victory in the Senate:

The California Senate rejected a bill yesterday sponsored by drug marketing firms that would have allowed the sharing of a patient's confidential medical information regarding prescription drugs among a pharmacy, third party corporations and pharmaceutical companies. The bill was however granted a second chance to pass the Senate next week.

The Consumer Federation of California opposed SB 1096 (Calderon) because it raised significant privacy and health care concerns for patients. The bill would have created an exception to California's Medical Information Act, and allow sharing of confidential patient drug prescription information without a patient's consent. The bill's main backer, Adheris Inc., is a subsidiary of inVentiv Health Inc., a drug marketing company.

“The California Constitution and the people of our state won a temporary victory today," said Zack Kaldveer, spokesperson for the Consumer Federation of California. "If the drug marketing companies had their way, your private medical prescriptions would have become commodities to be traded and sold on the open market for the purpose of increasing corporate profit, not improving public health."

Under SB 1096, drug stores would provide confidential patient prescription information to third party businesses. The third party would prepare mailings to patients that would have the appearance of coming from the pharmacy. These third party marketing corporations would, in turn provide patient information to, and receive payment from, pharmaceutical drug manufacturers to send the mailings, ostensibly to remind patients to take their medications or to renew their prescriptions.

This type of privacy invasion should not occur without the consent of the patient. Under California law, pharmacists counsel patients on prescription drugs at the point of purchase. It would be a simple matter for the pharmacist to ask the patient if he or she wants to opt in to receive reminder notices as part of the counseling.

Drug companies are interested in acquiring every bit of personally identifiable information about patients in order to market their products directly to patients. The bill does not require the third party mailer to remove or encrypt personally identifiable patient information that it shares with the pharmaceutical company.

"SB 1096 would be an unprecedented intrusion by drug companies into the physician - patient relationship and a blatant violation of an individual’s right to control his or her personal medical information." said Kaldveer. "A person's doctor - not a third party marketing company - is the best source for informing a patient about how to manage his or her health condition."

The bill would allow a third party to send reminder mailings that may be in direct contradiction to a physician's recommended course of treatment. For example, if a patient begins to take a medication and experiences an adverse reaction, the patient might discuss the problem with the prescribing physician, and an alternative course of treatment may be developed.

Unaware of this change in treatment, the pharmacy has communicated to the third party mailer that a patient is receiving a medication. The drug company that manufactures the medication then prepares mailings to remind the patient to take his or her medication, and to renew the prescription.

These mailings are designed to look as if they came from the pharmacy. The patient is now receiving contradictory instructions from two trusted sources, the doctor and the pharmacy. Senior citizens have the highest incidence of prescription drug use, and some may be confused by these conflicting directives.

This kind of direct interference in the doctor - patient relationship is potentially dangerous to patient health. Yet the bill does not include any penalties for drug companies that engage through intermediaries in these communications with patients in contradiction to a doctor's recommended course of treatment.

The Consumer Federation of California urged the state senate to continue its opposition to the bill unless a patient's informed consent is required prior to the transfer of private medical information.

Wednesday, May 21, 2008

'Google Health' launches despite privacy fears

The emerging electronic medical records "industry" and the privacy concerns associated with it is now here, as "Google Health" has officially launched.

As I have detailed on this blog, there has been a rash of electronic medical record privacy violations in recent months as well as a new study published in the The New England Journal of Medicine warning that "the entry of big companies like Microsoft and Google into the field of personal health records could drastically alter the practice of clinical research and raise new challenges to the privacy of patient records."

The important distinction between traditional medical records versus those stored by Google is that we currently have no laws guaranteeing the privacy of privately digitized health information. And until that time comes, there are serious privacy risks involved in allowing ones records to be electronically stored by companies like Microsoft and Google.

With that said, there are also signficant benefits to the new service as well. So as always, the devil will be in the details...

The Telegraph reports on the big launch:

The service, called Google Health, enables Americans to collate information about their medical histories in one easily accessible site, storing such data as vaccinations, illnesses, procedures, prescriptions and blood tests.

Users can also import records from the small number of health care providers and chemists that have so far signed on as partners in the scheme, set up text message alerts via a "virtual pillbox" to remind them to take prescriptions or research health questions.


Google...also addressed security concerns, promising users they alone will be able to see and manage information on their password protected profiles and that "Google will not sell, rent, or share your information (identified or de-identified) without your explicit consent, except in the limited situations described in the Google Privacy Policy, such as when Google believes it is required to do so by law."


Nevertheless, the emerging sector of electronic medical record storage has alarmed some privacy advocates who see it as uncharted territory and question what legal remedy users would have were their data to be accessed or misused by an unauthorised party.

"It's the Wild West online," Deborah Peel, a psychiatrist who founded the nonprofit advocacy group said. "The risks are massive." She said Microsoft consulted while designing HealthVault and agreed to routine privacy audits, the first of which is to be completed in June.

"We think it is critical to actually have external proof technology companies working with medical records are doing what they say they do," Miss Peel said. "Talk is cheap."

Clearly, this is a technology and service that is here to stay. Now comes the hard part: ensuring consumers' most private information is safe and secure.

Click here to read the article in its entirety.

Monday, May 19, 2008

REAL ID UPDATE: North Carolina, Minnesota Stand Tall - Sensenbrenner melts down

Ahhh...this is one of those long train wrecks that one can take a deep pleasure in watching. The train wreck I refer to of course, is the slow death of the liberty stomping REAL ID Act that was slipped through as an attachment to a supplemental spending bill for the Iraq war in 2005.

As I have detailed on this blog over the past few months, this "National ID" concept continues to meet resistance across the country whenever the public - or state leaders - get a chance to review and comment on it.

A quick review: The Real ID Act would turn our state driver’s licenses into a genuine national identity card and impose numerous new burdens on taxpayers, citizens, immigrants, and state governments – while doing nothing to protect against terrorism.

This new federal identity document would be required of every American in order to fly on commercial airlines, enter government buildings, open a bank account, and more. The common reaction from concerned public citizens across the country to the Act has centered on the threat it would pose to individual privacy, the high costs states would incur to implement it, the increased danger of identity theft, and the possible loss of freedoms due to expanded government power.

The good news is that state after state is joining forces to oppose Real ID Act...with North Carolina and Minnesota just taking two more big steps in that direction.

First, as reported in the News-Record: "N.C. lawmakers target ID law":

Both fiscal conservatives worried about the law's impact on state spending and more liberal members, who express concerns about the potential for invasion of privacy, signed on to a bill this past week that demands, "No State agency shall comply with the requirements of the REAL ID ACT."

That 2005 federal law created uniform standards for state driver's licenses in an effort to make identification harder to fake or obtain for those here illegally. Should the North Carolina proposal pass and the federal government not change the current law, North Carolinians would be unable to use their driver's licenses for boarding airplanes or entering U.S. government buildings.


The law would assemble a mammoth database of personal information. That has been a major sticking point for those concerned about government keeping too close a watch on its citizens or about security failures that could put individuals at risk for identity theft.


Maine became the first state to formally reject REAL ID requirements last year; now at least seven states have passed laws similar to North Carolina's. Several other states are in the process of passing laws, including Minnesota, where the legislature voted to reject the federal law over the threat of the governor's veto.

In fact, so many legislatures and governors have said they could not or would not comply with REAL ID, that the Department of Homeland Security granted all 50 states an extension for complying with the new rules from May 11 of this year until Dec. 31, 2009.

Meanwhile, in Minnesota the House and Senate have approved a bill (Update: Gov. Pawlenty just vetoed it) that would bar state driver's license authorities from implementing the federal Real ID regulations altogether.

KSTP TV Reports:

Governor Pawlenty vetoed an earlier attempt to require that conditions be met before the state could change licenses to meet federal rules. But both chambers passed the bill by veto-proof margins: 50-16 in the Senate and 103-30 in the House.

The Real ID mandate would require every citizen to carry a U.S. government-approved card to board a plane or enter a federal facility.

Critics say it will be costly to implement and that too much of people's personal information will be added to a national database. Supporters argue that a more secure identification card will help in homeland security and immigration control efforts.

Now to the especially enjoyable part of this post. As you might have guessed, the "brain" (or lack thereof) behind this constitution squashing idea is none other than Rep. James Sensenbrenner. He's been known for outbursts in the past, including shutting the mic off at a hearing that he chaired so Democrats couldn't make their arguments in the time allotted. So, as you can imagine, the fact that his baby - REAL ID - is getting trounced from sea to shining sea, must be getting on his already frazzled nerves.

The good news is it evidenced by this report from Wisconsin's Capital Times. apparently Sensenbrenner went nuts at what was supposed to be a friendly gathering of that endangered species called Republicans. It appears he's a little resentful that there has been a surprisingly BIPARTISAN effort to jettison REAL ID in states across the country...including his own:

The state's senior Republican at the federal level was furious with the top state Republican's moves to block implementation of the Real ID Act. And he suggested that Huebsch had abandoned Republican principles during the recent debate over the state budget repair bill. "We need to act like Republicans and vote like Republicans," the Menomonee Falls Republican declared, in a pointed jab at Huebsch, a West Salem legislator who leads an Assembly chamber that has a narrow Republican majority.


Sensenbrenner has led the push for Real ID, a federal law that demands states implement strict security, authentication and issuance procedures standards to limit access to state driver's licenses and state ID cards. Ostensibly, the program is designed to make state identification documents acceptable by the federal government for what the Department of Homeland Security describes as "official purposes."

But civil libertarians and strict-constructionist readers of the Constitution have objected to what they see as a "big-brother" initiative. And they have sought to stall development of the program. In Wisconsin, last week, Huebsch and other Republicans joined Democrats in backing a budget repair bill that strips Real ID of funding necessary for its implementation.

Click here to read the article in its entirety.

Tuesday, May 13, 2008

Information tags along everywhere you go - Critics worry about the security of RFID

Now this is the kind of reporting we need A LOT more of in this country. The Baltimore Sun's Liz F. Kay clearly was given a lot of time and newspaper space to really delve into the issue of the rapidly growing "world of RFID", and the myriad of privacy concerns associated with it.

Of course, there are many that see "conspiracy theorists" in anyone that doesn't necessarily share their view that every technological advancement is necessarily "good". The RFID debate has largely shaped up this way.

A common attack - utilized by those that worship at the alter of technological innovation -against those who view privacy as an inalienable right that's under an unprecedented assault goes something like this: "People that are worried about RFID oppose technological advancements (i.e. the "luddite" attack) and would rather just live in caves". Or, they "are conspiracy nuts that have watched too many episodes of the X-Files". Or in this case, that somehow we are against all uses of RFID, and don't recognize the numerous benefits and conveniences it offers (which just about everyone does).

Of course, these are ludicrous "Straw Men". If anyone takes the time to read the California bills that propose to regulate RFID use for instance, it becomes readily apparent that we're talking about basic, common sense precautions that incorporate the "better safe than sorry" mantra.

You know, the ones, like "let's make sure they're properly encrypted first", or the "let's ensure people have the right to "opt-in" before they can be monitored anywhere they go", or the "let's not start tracking children in school" idea. Do these really sound "anti-technology" or "conspiratorial"?

If you want to take a look at some of the current RFID bills CFC supports that are making their way through the legislature just click here, and check out SB 28, 29, 30, 31, and 388. Clearly there's nothing remotely "conspiratorial" about them. What's scary is that anyone would actually oppose them. I find it troubling that so many in our country seem so trusting of government and big business when it comes to allowing such invasions of our privacy through easy access to our personal information as well as location (in addition to identity theft).

Thankfully, in the case of this article, all angles are covered, leaving one with a much better understanding of the issue and the reasons why the privacy concerns surrounding RFID are valid, and fairly easily solvable.

The Baltimore Sun's Liz F. Kay reports:

The tiny silicon chips are embedded in credit cards, passports and other everyday items and can transmit data on where you go, what you buy and even who you are.


But as RFID technology spreads and grows cheaper, critics say the tags and the signals they emit are increasingly likely to be abused: by those who would spy on your movements, steal your identity or even target you in a terrorist attack.The concern has led to some paranoia - and Web sites full of bizarre advice on avoiding RFID snoops. But authorities are beginning to listen to RFID's serious critics.

The U.S. State Department, for example, incorporated metal shielding into the covers of new passports after critics demonstrated how information from the RFID tags embedded in the documents could be read clandestinely from a distance. Last year, California legislators enacted a law prohibiting employers from forcing their employees to implant RFID tags in their bodies.


But the real problem, critics say, is that RFID tracking is virtually invisible and undetectable by its subjects."A lot of this is done not only without the consumer's knowledge - it's beyond the grasp of most consumers how it works. Nontechnical people don't know what the risks are. They just want to buy things and have their privacy and credit card numbers protected," said Avi Rubin, a Johns Hopkins University computer science professor who worked with Massachusetts researchers to crack the encryption scheme of the ExxonMobil Speedpass in 2005.


Even vocal RFID critics say the problem hasn't reached a crisis level - which makes it hard to argue their case.Lee Tien, senior staff attorney for the San Francisco-based Electronic Frontier Foundation, said those who raise the alarm realize how it would have felt to warn the public about air pollution the day the Model T was introduced.

The EFF has opposed use of the technology on several fronts. And as a parent, Tien spoke against a proposal for an enhanced California driver's license that could broadcast the name, address, height and weight of drivers - such as his 16-year-old daughter.But he doesn't oppose the technology itself. "I would honestly have no problem using RFID devices if I knew I could control who was going to read them," Tien said.


Unlike a bar code, an RFID tag doesn't have to be visible for a sensor to detect it."You're making available over the airwaves something that's previously available only through line of sight," said Hopkins' Avi Rubin.


The distance at which an RFID tag can be read varies - from mere centimeters on no-swipe credit cards to hundreds of feet for tollbooth tags.For many applications, Tien said, all you have to do is "follow somebody into an elevator. You're close enough."


Retailers often use RFID to manage inventory and prevent theft. But critics say the tags aren't required after consumers leave the store with their merchandise - often unaware that the tags are still functional. The tags can be disabled, but most stores don't bother. On one hand, promoters say, retailers could keep RFID tags on clothing they've sold previously to identify regular customers as they enter a store and offer personalized service. On the other, critics say, an RFID tag embedded in a book might tell a snoop that a reader is carrying The Communist Manifesto or Catcher in the Rye in his backpack.


Critics note that it's relatively easy to conceal inexpensive readers - hand-held or smaller - that can pick up an RFID tag a foot or two away. They could create a trail of your movements - an almost Orwellian capability."We spend our lives going through doorways. We are constantly channeled through, well, channels," Tien said. "That's where you can be easily tracked."

Click here to read the article in its entirety.

Monday, May 12, 2008

Domestic spying far outpaces terrorism prosecutions

You may want to sit down before you read this one. Ready? Ok, we now know that "the number of Americans being secretly wiretapped" or having their records reviewed by the government continues to increase, "the number of terrorism prosecutions ending up in court" has declined.

Yes, you heard me correctly...more wiretapping, less prosecutions. So the question then is what other purposes are they using this program for? If nothing else we must use this to convince wavering Democrats that they absolutely MUST stay strong and refuse to give telecom companies immunity for their complicity in the administration's illegal wiretapping program.

Apparently two very prominent Democrats are working behind the scenes to create a "compromise" (as in give him everything) bill that the President will sign.

I'm speaking in particular of Rockefeller and Hoyer. In the case of these two integrity impaired legislators, I do know for sure that Rockefeller is running for re-election. Gee Jay, how's that influx of telecom contributions treating your campaign?

Needless to say, experts point out that these trends are evidence that "the government has compromised the privacy rights of ordinary citizens without much to show for it." Duhhh....

The Los Angeles Times reports:

These concerns come as the Bush administration has been seeking to expand its ability to gather intelligence without prior court approval. It has asked Congress for amendments to the 1978 Foreign Intelligence Surveillance Act to make it clear that eavesdropping on foreign telecommunications signals routed through the U.S. does not require a warrant.


The inspector general of the Justice Department has found numerous cases in which FBI agents failed to comply with rules and guidelines in issuing the letters, often gaining access to information they were not entitled to. The FBI has responded by taking a number of measures to tighten its internal procedures.Civil liberties groups say the new data reveal a disturbing consequence of the government's post-Sept. 11 expanded surveillance capabilities.

"The number of Americans being investigated dwarfs any legitimate number of actual terrorism prosecutions, and that is extremely troubling -- for both the security and privacy of innocent Americans as well as for the squandering of resources on people who have not and never will be charged with any wrongdoing," said Lisa Graves, deputy director of the Center for National Security Studies, a Washington-based civil liberties group.

Click here to read the article in its entirety.

Wednesday, May 7, 2008

Burger With a Side of Spies

Check this op-ed out in the New York Times today by Eric Schlosser, author of “Fast Food Nation” and “Reefer Madness".

As you may have deduced from the title of the piece, the article focuses on recent reveations indicating that today's ubiquitous and all seeing "Big Brother" doesn't just refer to Government, but to big business as well.

Whether its Burger Kind or Walmart, you're being watched, dissected, and categorized like the walking dollar sign you are to them. Or in the case of this piece by Schlosser, there's something even more insidious at play here: the use of spying by Big Business to prevent challenges to their power and profits...even if its just advocating for a decent wage.

Schlosser writes:

WHILE the Patriot Act has raised fears about government spying on ordinary citizens, the growing threat to civil liberties posed by corporate spying has received much less attention. During the late 1990s, a private security firm spied on Greenpeace and other environmental groups, examining activists’ phone records and even sending undercover agents to infiltrate the groups, according to an article in Mother Jones. In 2006 Hewlett-Packard was caught spying on journalists. Last year Wal-Mart apologized for improperly recording conversations with a New York Times reporter.

And now it turns out that the Burger King Corporation, home of the Whopper, hired a private security firm to spy on the Student/Farmworker Alliance, a group of idealistic college students trying to improve the lives of migrants in Florida.


The Bill of Rights was adopted to protect Americans from the abusive power of their government. I’ve come to believe that we now need a similar set of restrictions to defend against irresponsible corporate power. Today companies like Wal-Mart and ExxonMobil have annual revenues larger than the entire budgets of some states, and they employ former agents from the F.B.I., the C.I.A. and the Secret Service to do security work. Unlike government agencies, whose surveillance activities are supposed to be conducted according to strict guidelines and court orders, these private firms operate with a remarkable degree of freedom. At the moment, federal laws against the practice of “pretexting” — using a false identity to obtain personal information — apply only to financial and telephone records.

As Schlosser advocates, Congressional hearings on corporate espionage would be a a great place to start. When corporations have grown to such power that they dwarf most nations, including many of our states, we need to start holding them to the same standards as we hold one another. If they continue to be given the same rights as human beings, shouldn't they be held to the same standards, with the same responsibilities?

Click here to read the article in its entirety.

Monday, May 5, 2008

Government wiretaps—the ones we know about—up 20% for 2007

Believe me, I'd like to start my week with just about ANY privacy related headline than this...but alas, the data for 2007 is in, and its not pretty. Yes, government wiretapping drastically increased last year! This article details the new figures, as well as some of the demographics associated with the taps.

Nate Anderson of Arstechnica, gives us the bad news:

The US last week released its 2007 wiretapping stats, and they show that such surveillance is up a full 20 percent over the year before. The number of non-secret wiretaps is higher than it has ever been in the last decade, and not a single application was denied in all of 2007.


The Justice Department also released information this week on secret warrants issued by the Foreign Intelligence Surveillance Court. These numbers are also rising, and have been going up since 2001; the increase is a dramatic one. In 2001, the Court approved only 1,012 applications, but approved 2,370 last year.

The ACLU said in a statement that "the ever-increasing reach of government surveillance should be disturbing to anyone committed to constitutional values. Pervasive surveillance, besides eroding the right to privacy, deters innocent people from participating in the political process and from exercising their freedoms of speech, association, and religion. It has a chilling effect on activity that is absolutely necessary to any democracy."

And neither of these wiretapping numbers have anything to do with the warrantless surveillance being conducted on phone and Internet traffic by the National Security Administration. So take back all that I said above about surveillance only being used on drug dealers with cell phones. The truth is that we simply don't know how much total government surveillance is being done, who is being looked at, and what sort of information is being examined. If Congress ends up granting the telecom companies that participated in the program the immunity they crave, we may never know.

You can rest assured that as soon as that debate over telecom immunity is re-engaged I will be on of now, the Dems stood strong and are clearly in a good position. All they must do now is avoid cutting some deal that "grabs defeat out of the jaws of victory".

Friday, May 2, 2008

6,000 UCSF patients' data got put online

It seems that I've written about this issue a lot in the past couple of weeks. It's not a good sign when health records keep getting breached...and its the kind of information that is supposed to be protected under federal law. The growing concern over keeping medical information private has largely centered on such companies as Google and Microsoft, who will be privately offering such a data storage service in the near future - but without the legally mandated privacy protections (i.e. HIPAA).

But in this case, we are seeing that concern over one's private medical records transcends simply whether they are supposed to be legally protected or not - but whether they are at all. Just another day in the rapidly evolving world of electronically stored health records.

What's especially disturbing about this story is that it shows how health care institutions are tracking patients and their families for nonmedical reasons...such as that grand old quest for money! As if our "for profit health care system" didn't have enough problems, now we know that our local hospitals, nursing homes and hospices may be tracking us for fundraising, marketing, and advertising opportunities. Yuck...

The San Francisco Chronicle reports on the latest data breach:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft...

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online. The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

The consequences of health care data breaches can be significant, said experts. Sensitive information can be used by employers, health insurers and other entities to discriminate. Additionally, thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research and consumer education group. "To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."


The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes. Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.


In January, California began requiring health care providers to alert consumers if their medical information is breached. Swift notification is considered important so consumers can monitor credit reports and bills. According to Joanne McNabb, chief of the California Office of Privacy Protection, notice should be given "in the most expedient time possible, without unreasonable delay."


"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said. Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
A federal privacy regulation known as HIPAA, the Health Insurance Portability and Accountability Act, sets standards to protect personal health information. Health care entities are allowed, for fundraising activities, to release to business associates - without explicit individual authorization - certain demographic information, such as names, addresses and dates of treatment, but not information about health or health care.


In the UCSF breach, the names of patients treated at four care units were released: chest and pulmonary, vascular surgery, pediatric surgery, and pediatric multiple sclerosis. "It seems they may have released more information than permitted," said Gail Sausser, a HIPAA consultant and adjunct professor of health law at Seattle University's School of Law.

Click here to read the article in its entirety.