Medical Info for Sale Online

In this article the News4 I-Team discovered how anyone with internet access and who is willing to pay just a few hundred dollars can easily have access to and purchase private medical records online.  This contributes to between “one and two million Americans being affected by medical identity theft each year”.

Read more in this article here and learn where stolen medical information goes, who is selling the information, and where they are getting it from in the first place.  Are YOU at risk?

 

Surgery photo leads to privacy lawsuit against Torrance Memorial

“A doctor put stickers on a patient who was under anesthesia, and a photo was taken. The lawsuit underscores how, despite hospitals’ rules, the pervasiveness of cellphones raises concerns about privacy.”

Quotes from Dr. Peel:

“‘The idea that people are using their cellphone or even have one in the operating room is crazy,’ said Dr. Deborah Peel, founder of Patient Privacy Rights, a nonprofit advocacy group in Austin, Texas. ‘It’s a massive security risk and incredibly insensitive to patients.’”

“In similar cases elsewhere, Peel said, hospital personnel often lose their jobs. In 2010, for instance, four employees at St. Mary Medical Center in Long Beach were terminated because they used cellphones to photograph a dead emergency-room patient and shared the photos with others, according to state records.”

To view the full article, please visit: http://www.latimes.com/business/la-fi-hospital-patient-privacy-20130905,0,7915045.story

Health data breaches usually aren’t accidents anymore

While the healthcare industry has made advancements in how they protect our most personal information, those trying to steal our electronic health records have become even more savvy as to how to access them.

Key Quotes from the Article:

“One of the biggest changes during the past decade is the data being targeted. Ten years ago, it was personal identifiable information. Now, said Rick Kam, president and co-founder of ID Experts in Portland, Ore., personal health information is being targeted, mainly because of the value it holds and the relative ease thieves have getting their hands on it.”

“94% of health care organizations have had at least one breach in the previous two years.Because data can now reside in multiple locations, including unsecured smartphones, laptops and tablets, and can be transported to an infinite number of locations, thieves, whether they be outside hackers, device stealers or people who try to use staff to share sensitive information, have more areas to target.”

Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit Documents, for over $1,000 Per Dossier

The value of personal health information is very high inside and outside of the US healthcare system. At the same time, the US healthcare industry as a whole does a terrible job of protecting health data security. Most health data holders (hospitals and insurers) put health data security protection dead last on the list for tech upgrades.
Besides the lack of effective, comprehensive data security protections, thousands of low-level employees can snoop in millions of people’s health records in every US hospital using electronic records.

The public expects that only their doctors and staff who are part of their treatment team can access their sensitive health records, but that’s wrong. Any staff members of a hospital or employees of a health IT company who are your neighbors, relatives, or stalkers/abusers can easily snoop in your records.
In Austin, TX the two major city hospital chains each allow thousands of doctors and nurses access to millions of patient records.
All this will get much worse when every state requires our health data to be “exchanged” with thousands more strangers. The new state health information exchanges (HIEs) will make data theft, sale,  and exposure exponentially worse.
Tell every law maker you know: all HIEs should be REQUIRED by law to ask you to agree or OPT-IN before your health data can be shared or disclosed.

Today:

  • -many states do not allow you to ‘opt-out’ of HIE data sharing
  • -most states do not allow you to prevent even very sensitive health data (like psychiatric records) from being exchanged

There is no way to trust electronic health systems or HIEs unless our rights to control who can see and use our electronic health data are restored.

The Verizon order, the NSA, and what call records might reveal about psychiatric patients

The NSA knows we are sick because we phone doctors’ offices.

As a mental health professional, Dissent Doe explains in her blog (below) how revealing phone call metadata is:

“Because my phone is used mainly for calls to and from patients and clients, can the NSA figure out who my patients are?  And could they, with just a query or bit of analysis, figure out when my patients were going into crisis or periods of symptom worsening?  I suspect that they can. And because I am nationally and internationally known as an expert on a particular disorder, could the government also deduce the diagnosis or diagnoses of my patients or their family members? Probably.”

There is a huge national media response to the NSA spying on Americans’ cell phone calls, but the media does NOT report on the far worse systemic corporate and government spying on the nation’s electronic health records.

The US healthcare system is engineered for hidden corporate and government surveillance of personal data about the minds and bodies of all 300 million Americans –from prescriptions to diagnoses to DNA—it’s all collected and sold.

The US media simply repeats industry and government talking points about the benefits of electronic health systems without reporting on the massive harms:

  • -Millions of patients/year avoid early diagnosis and treatment of cancer, depression, and sexually transmitted diseases because they know that information will not be private (see citations and statistics in:http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf)
  • -1/8 people hide health information because they know that information will not be private
  • -Should we use technology that causes millions to suffer bad outcomes?

2013 is a critical year: every state will share your health data with hundreds-thousands more hidden users via Health Information Exchanges (HIEs).

  • -Many states to not allow you to ‘opt-out’ of HIEs that exchange your health data.
  • -Most states do not allow you to prevent your most sensitive health information from being exchanged.
  • -So far, not one state gives patients control over data exchange.

SIGN PPR’s petition and say “no” to data exchange without your consent at: http://patientprivacyrights.org/2013/06/sign-the-petition-for-patient-controlled-exchange-of-health-information/

We need trustworthy technologies that put patients back in control of the use, disclosure, and sale of their sensitive health data.

  • -Patients have always controlled who could see and use paper medical records.
  • -Now institutions (corporations and government) control who can see and use the nation’s electronic health records.

Great existing technologies can fix badly designed electronic health systems, but we need new laws that require privacy-protective technologies are built into all electronic systems that handle health data.

Clouds in healthcare should be viewed as ominous- Quotes from Dr. Deborah Peel

A recent article in FierceEMR written by Marla Durben Hirsch quotes Dr. Peel about the dangers of cloud technology being used in healthcare. Dr. Peel tells FierceEMR that “There’s a lot of ignorance regarding safety and privacy of these [cloud] technologies”.

Here are a few key quotes from the story:

“It’s surely no safe haven for patient information; to the contrary it is especially vulnerable to security breaches. A lot of EHR vendors that offer cloud-based EHR systems don’t take measures to keep patient data safe. Many of them don’t think they have to comply with HIPAA’s privacy and security rules, and many of their provider clients aren’t requiring their vendors to do so.” (Hirsch)

“Many providers have no idea where the vendor is hosting the providers’ patient data. It could be housed in a different state; or even outside of the country, leaving it even more vulnerable. ‘If the cloud vendor won’t tell you where the information is, walk out the door,’ Peel says.”

“Then there’s the problem of what happens to your data when your contract with the cloud vendor ends. Providers don’t pay attention to that when they sign their EHR contract, Peel warns.”

“‘The cloud can be a good place for health information if you have iron clad privacy and security protections,’ Peel says. ‘[But] people shouldn’t have to worry about their data wherever it’s held.’”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The quotes below are from an article written by Alex Ruoff in the Bloomberg Health IT Law and Industry Report.

“Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information. Cloud computing solutions are seen as ideal for small health practices as they do not require additional staff to manage information systems, Peel said.
Cloud computing for health care requires the storage of protected health information in the cloud—a shared electronic environment—typically managed outside the health care organization accessing or generating the data (see previous article).
Little is known about the security of data managed by cloud service providers, Nicolas Terry, co-director of the Hall Center for Law and Health at Indiana University, said. Many privacy advocates are concerned that cloud storage, because it often stores information on the internet, is not properly secured, Terry said. He pointed to the April 17 agreement between Phoenix Cardiac Surgery and HHS in which the surgery practice agreed to pay $100,000 to settle allegations it violated HIPAA Security Rules (see previous article).
Phoenix was using a cloud-based application to maintain protected health information that was available on the internet and had no privacy and security controls.

Demands for Guidance

Peel’s group, in the Dec. 19 letter, called for guidance “that highlights the lessons learned from the Phoenix Cardiac Surgery case while making clear that HIPAA does not prevent providers from moving to the cloud.”

Peel’s letter asked for:
• technical safeguards for cloud computing solutions, such as risk assessments of and auditing controls for cloud-based health information technologies;
• security standards that establish the use and disclosure of individually identifiable information stored on clouds; and
• requirements for cloud solution providers and covered entities to enter into a business associate agreement outlining the terms of use for health information managed by the cloud provider.”

Patient privacy group (PPR) asks HHS for HIPAA cloud guidance

Government HealthIT recently wrote an article about Dr. Peel’s of Patient Privacy Rights’ letter to the HHS Office for Civil Rights pushing for security guidelines, standards, and enforcements for cloud technology being used in healthcare.

Here are a few key points highlighted in the article:

“Issuing guidance to strengthen and clarify cloud-based protections for data security and privacy will help assure patients (that) sensitive health data they share with their physicians and other health care professionals will be protected,” Peel said.

“Cloud-computing is proving to be valuable, Peel said, but the nation’s transition to electronic health records will be slowed ‘if patients do not have assurances that their personal medical information will always have comprehensive and meaningful security and privacy protections.’”

“Patient Privacy Rights, a group founded in 2006, is encouraging HHS to adopt guidelines that highlight ‘the lessons learned from the Phoenix Cardiac Surgery case while making it clear that HIPAA does not prevent providers from moving to the cloud as long as it is done responsibly and in compliance with the law.’”

“In general, Peel said, cloud providers and the healthcare industry at large could benefit from guidance and education on the application of federal privacy and security rules in the cloud. ‘HHS and HIPAA guidance in this area, to date, is limited,’ Peel said, recommending the National Institute of Standards and Technology’s cloud privacy guidelines as a baseline.”

Health-care sector vulnerable to hackers, researchers say

From the Wall Street Journal article by Robert O’Harrow Jr. titled Health-care sector vulnerable to hackers, researchers say

“As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews.

Security researchers warn that intruders could exploit known gaps to steal patients’ records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems.

A year-long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.

“I have never seen an industry with more gaping security holes,” said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”"

Kravis Backs N.Y. Startups Using Apps to Cut Health Costs

The title should have been: “Wall Street trumps the Hippocratic Oath and NY patients’ privacy” or “NY gives technology start-ups free access to millions of New Yorkers sensitive health data without informed consent starting in February”.

Of course we need apps to lower health costs, coordinate care, and help people get well, but apps should be developed using ‘synthetic’ data, not real patient data. Giving away valuable identifiable patient data to app developers is very risky and violates patients legal and ethical rights to health information privacy under state and federal law—each of us has strong rights to decide who can see and use personal health information.

What happens when app developers use, disclose or sell Mayor Bloomberg’s, Governor Cuomo’s, Sec of State Hillary Clinton’s, or Peter Thiel’s electronic health records? Or will access to prominent people’s health records be blocked by the data exchange, while everyone’s else’s future jobs and credit are put at risk by developer access to health data?  Will Bloomberg publish a story about the consequences of this decision by whoever runs the NY health data exchange? Will Bloomberg write about the value, sale, and massive technology-enabled exploitation of health data for discrimination and targeted marketing of drugs, treatments, or for extortion of political or business enemies? Natasha Singer of the NYTimes calls this the ‘surveillance economy’.

The story did not mention ways to develop apps that protect patients’ sensitive information from disclosure to people not directly involved in patient care. The story could have said that the military uses “synthetic” patient data for technology research and app development. They realize that NOT protecting the security and privacy of sensitive data of members of the military and their families creates major national security risks.  The military builds and tests technology and apps on synthetic data; researchers or app developers don’t get access to real, live patient data without tough security clearances and high-level review of those who are granted permission to access data for approved projects that benefit patients. Open access to military health data bases threatens national security. Will open access to New Yorkers’ health data also threaten national security?

NY just started a national and international gold rush to develop blockbuster health apps AND will set off a rush by other states to give away or sell identifiable patient health information in health information exchanges (HIEs) or health information organizations (HIOs)—-by allowing technology developers access to an incredibly large, valuable data base of identifiable patient health information.  Do the developers get the data free—or is NY selling health data? The bipartisan Coalition for Patient Privacy (represents 10.3M people) worked to get a ban on the sale of patient health data into the stimulus bill because the hidden sale of health data is a major industry that enables hidden discrimination in key life opportunities like jobs and credit. Selling patient data for all sorts of uses is a very lucrative industry.

Further, NY patients are being grossly misled: they think they gave consent ONLY for their health data to be exchanged so other health professionals can treat them. Are they informed that dozens of app developers will be able to copy all their personal health data to build technology products they may not want or be interested in starting in February?

Worst of all the consequences of systems that eliminate privacy is: patients to act in ways that risk their health and lives when they know their health information is not private:

  • -600K/year avoid early treatment and diagnosis for cancer because they know their records will not be private
  • -2M/year avoid early treatment and diagnosis for depression for the same reasons
  • -millions/year avoid early treatment and diagnosis of STDs, for the same reason
  • -1/8 hide data, omit or lie to try to keep sensitive information private

More questions:

  • -What proof is there that the app developers comply with the contracts they sign?
  • -Are they audited to prove the identifiable patient data is truly secure and not sold or disclosed to third parties?
  • -What happens when an app developer suffers a privacy breach—most health data today is not secure or encrypted? If the app developers signed Business Associate Agreements at least they would have to report the data breaches.
  • -What happens when many of the app developers can’t sell their products or the businesses go bust? They will sell the patient data they used to develop the apps for cash.
  • -The developers reportedly signed data use agreements “covering federal privacy rules”, which probably means they are required to comply with HIPAA.  But HIPAA allows data holders to disclose and sell patient data to third parties, promoting further hidden uses of personal data that patients will never know about, much less be able to agree to.  Using contracts that do not require external auditing to protect sensitive information and not requiring proof that the developers can be trusted is a bad business practice.

NY has opened Pandora’s box and not even involved the public in an informed debate.