By Ronald Campbell, Deborah Schoch
Thieves, hackers and careless workers have breached the medical privacy of nearly 32 million Americans, including 4.6 million Californians, since 2009.
Those numbers, taken from new U.S. Health & Human Services Department data, underscore a vulnerability of electronic health records.
These records are more detailed than most consumer credit or banking files and could open the door to widespread identity theft, fraud, or worse.
Consider the case of Tustin-based GMR Transcription Services Inc. The Federal Trade Commission alleges that in 2011 a GMR subcontractor put transcribed medical audio files on a computer server that was then indexed by Google.
The files contained patients’ medical histories, including psychiatric disorders, alcohol use and drug abuse. GMR settled the FTC lawsuit in January. In a statement after the settlement, GMR said the files were no longer searchable and that it was exiting the medical transcription business.
Despite ever-tighter federal regulations, “we recognize that sometimes security is still compromised,” said Dr. Jacob Reider, HHS’ deputy national coordinator for information technology.
The government is trying to combat potential privacy breaches with a carrot-and-stick approach. It’s offering early adapters of electronic health records advice, an online security assessment tool, even a “cybersecure” computer game to help them learn.
But it’s also threatening, and in rare cases imposing, big fines on insurers, hospitals or doctors that lose control of records.
In May, HHS levied a record $4.8 million penalty against New York-Presbyterian Hospital and its partner, Columbia University. The grounds: In September 2010 some 6,800 patients’ records were accidentally exposed to Internet search engines.
< That incident is one of 1,045 cases listed on HHS’ so-called “wall of shame,” a website mandated by the 2009 stimulus act that lists every health privacy breach affecting at least 500 individuals. Individual cases highlight just how weakly protected many medical records are: Hundreds of thousands, even millions of records are typically kept on a single computer. Those records, usually protected by a password, are often not encrypted. That makes them readable by anyone who can crack the password.
“There are some healthcare providers who are not going to have any problem” safeguarding electronic health records, said Pam Dixon, executive director of the World Privacy Forum (link is external) in San Diego. “There are other health care providers who are just like a sieve.”
The government does “provide good guidance,” said Justin Brookman, consumer privacy director at the Center for Democracy & Technology (link is external), a Washington, D.C., nonprofit that promotes online privacy. “But most of the breaches we’ve seen have been people not following” that guidance.
There is “a 1 percent chance of very bad things happening,” Brookman added. “It is foreseeable or should be foreseeable.”
Other examples:
- Sometime between Feb. 14 and March 27, 2014, computer “malware” captured information from three computers at the UC Irvine Student Health Center (link is external) and fed data involving 1,813 students – including names, addresses, insurance and bank information, as well as medical information – to unauthorized servers. UCI is upgrading its security.
- In October 2013, someone broke into a sixth-floor office in Alhambra and stole two laptops. The laptops contained information for 729,000 patients of AHMC Healthcare (link is external), which runs Anaheim Regional Medical Center and five hospitals in Los Angeles County. The computers contained patients’ names, Medicare and insurance identification numbers, diagnosis codes and insurance payments. Spokesman Gary Hopkins said there is no evidence patient information was ever used.
- In one of the biggest breaches in California history, an unencrypted desktop computer was stolen from the Sacramento administrative office of Sutter Medical Foundation (link is external) in October 2011. The computer contained personal medical information, including diagnoses and procedures, for 943,000 patients. In response, Sutter sped up efforts to encrypt its computers.
