Steady Bleed: State of HealthCare Data Breaches — Comments

Comments on Information Week Article: Steady Bleed: State of HealthCare Data Breaches

This is a very ominous story. As every state rushes to connect offices and hospitals with weak security and privacy together to exchange data, the federal government is giving doctors and hospitals tens-to-hundreds of thousands of dollars to install electronic health records that also lack ironclad security and also prevent patients from controlling their records. Hooking systems of ‘weak links’ to thousands of new systems that are also ‘weak links’ is a prescription for disaster.

Like the author, Patient Privacy Rights has been pointing out the abysmal state of health data security for years. What the author does not know is Congress LISTENED TO PATIENTS. Senator Snowe deserves credit for these consumer protections because she refused to allow the meaningful breach protections she crafted to be weakened. Powerful support by the bipartisan Coalition for Patient Privacy (see our letter to Congress) helped convince Congress to put Senator Snowe’s tough breach reporting and tough penalties into the stimulus bill. Perhaps now those who hold our sensitive health data will start to take security seriously.

What is really new in this story are FairWarning’s report about the very high monthly frequency of breaches in doctor’s offices and major hospitals in the US and across the world. The statistics from FairWarning show clearly that the number of breaches officially reported to HHS are just the tip of the iceberg. See quotes:

  • 200-bed hospital with a few small clinics, Rurally based: 24 confirmed incidents [breaches] per month.
  • U.S. based physician practice with 20 clinics metro and rurally dispersed: 29 confirmed incidents [breaches] per month.
  • UK based teaching hospital in major metropolitan area as well as rurally based facilities: 130 confirmed incidents [breaches] per month
  • Top 50 U.S. Health System with multiple affiliated hospitals and clinics – Based in a major metropolitan area: 125 confirmed incidents [breaches] per month.

You can see reported breaches to HHS affecting 500 or more here:

Proposed United States medical privacy rules deemed inadequate

In Tennessee, the theft of 57 computer hard drives at a health insurance call center exposed personal information on as many as one million people. In Virginia, the hacking of a government prescription database compromised millions of records. In California and beyond, celebrity peepers have snooped on the medical particulars of stars.

This is already a digitized world, as the health system juggles vast volumes of the most deeply private information. Add to that the acceleration in US doctors’ offices of electronic record-keeping, spurred by hefty aid from a government eager to reap efficiencies in medical care.

Trying to keep all of that information properly corralled is a tall order. And President Barack Obama’s administration has backtracked on a major attempt to sort out the thicket of privacy rules supporting that effort.

The Health and Human Services Department published a set of regulations governing how health care providers must respond when medical privacy is breached. The rules, although not final, had the force of law. But now the department is retracting them. “This is a complex issue,” the department said by way of understatement.

Privacy advocates and members of Congress had sharply criticized the controls as inadequate. After a period of reflection — and reportedly pressure from the White House — the department appeared to agree…

Watchdogs asserted that health professionals should not be the judge of whether a breach is significant enough to a patient’s livelihood or reputation. “That puts the foxes in charge of the hen coops,” says Dr. Deborah C. Peel, founder and chair of the Patient Privacy Rights Foundation, which presses for strict consumer safeguards. “It shows the incredible overbearing influence of industry in the crafting of regulations. The idea that someone else knows when you’re harmed better than you do, doesn’t make sense.”