Leader of Hospital Identity Theft Ring Sentenced

It’s impossible to stop the tsunami of fraud, ID theft, and medical ID theft until we rebuild US health IT systems to prevent open access to millions of patient records by thousands of hospital and insurance company employees.
Systems should be re-built to allow ONLY those few people who are directly involved with a patient’s treatment to access their health records.

  • ·         ONLY those who carry out the orders of the patient’s physician should be able to access that patient’s electronic health records
  • ·         the other hundreds or thousands of hospital system employees and staff members should not be physically or technically able to access that patient’s records
  • ·         When a patient is admitted, one physician is in charge of diagnosis and treatment.
  • ·         All people the attending physician orders to treat the patient (nurses, consultants, respiratory therapists, etc, etc) work for that physician, the “captain of the ship”

Health data cannot possibly be protected when thousands of people have access to millions of patient records.  Employees of the hundreds of separate health technologies used by every hospital also have open access to millions of patient records.
The more people have access to sensitive personal health data, the easier it is to steal, sell, misuse it.

Health records lost, stolen or revealed online

From the Chicago Tribune Article: Health records lost, stolen or revealed online

“Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.

Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.

One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation’s health program for military members, their families and retirees.

Some breaches have resulted in personal information being revealed online. The names and diagnosis codes of almost 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., were posted on a commercial website for nearly a year before it was discovered in September and taken down…

Dr. Deborah Peel, founder and chair of Patient Privacy Rights, a consumer group, would like to see more help for those whose information is breached and tougher punishment for those responsible. The BlueCross BlueShield of Tennessee settlement amounted to “roughly a dollar per breach record, which is nothing,” she said.

Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?

Re: Release of Ponemon “Benchmark Study on Patient Privacy and Data Security” on Nov 9th

Today’s new Ponemon study catalogs the health care industry’s massive indifference to keeping patients’ health data secure.

View the Ponemon Study Press Release

This is not a new problem. The lack of ironclad data protection and security has been a set up for catastrophe from the beginning.  If banks handled the security of financial records as badly as hospitals handle health records, they would have been shut down.

Why is abysmal security for health data tolerated, when it is far more sensitive than financial records and also contains financial and demographic information?

The study details the lack of comprehensive technical protections, the lack of adequate staff, the lack of adequate funding , and the lack of encryption. It even found that 53% of health care organizations are “not confident” they know where patient data is actually located.

It’s painful to read such graphic detail about the breathtaking, systemic disregard for patient data protections. Page after page of awful statistics should make the public and government pause before spending $39 billion dollars of stimulus funds on such fatally flawed systems.

Relentless industry promotion of health IT seems to override the lack of adequate data protection and common sense.

Here are a few statistics from the study:

  • The total economic burden on US hospitals of data breaches is $12 Billion dollars/year.
  • 69% of health care organizations can’t prevent or detect data breaches
  • 71% of health care organizations have inadequate resources to deal with data breaches or improve their systems and technology
  • 70% of hospitals said that data protection is not a priority
  • Strikingly, 41% said that data breaches were discovered by patients, which appears to be low because another 19% of breaches were discovered because of legal complaints and 8% by law enforcement. Both legal actions and law enforcement complaints were also probably because patients discovered breaches and sought help, making the total of patient-discovered breaches closer to 68% than 41%.

If 41-68% of patients reported breaches, they must have suffered direct harms, such as data exposure leading to humiliation/embarrassment, identity theft, or medical identity theft.

Shouldn’t the government spend the stimulus billions on systems that DO ensure data security and EMPOWER patients to selectively disclose sensitive health information only to those they trust?