How Medical Identity Theft Can Give You a Decade of Headaches

See the full article at How Medical Identity Theft Can Give You a Decade of Headaches.

This article tells us a cautionary tale about how Arnold Salinas had his identity stolen by someone who took out medical care in his name. Now, any time he gets medical treatment, he has to be extremely careful that his records are actually his own or face the possibility that he will get the WRONG treatment.

“Medical identity theft affected an estimated 1.5 million people in the U.S. at a cost of $41.3 billion last year, according to the Ponemon Institute, a research center focused on privacy and data security. The crime has grown as health care costs have swelled and job cuts have left people without employer-subsidized insurance. Making matters worse: The complexity of the medical system has made it difficult for victims to clear their name.”

It is so important that patients control and are kept abreast of their medical records, but the current system does not make this easy. According to the article, medical identity theft cases are some of the most difficult to solve and can take years. What makes it so difficult is that “‘…you have to go provider by provider, hospital by hospital, office by office and correct each record,” said Sam Imandoust, a legal analyst with the Identity Theft Resource Center. ‘The frustrating part is while you’re going through and trying to clean up the records, the identity thief can continue to go around and get medical services in the victim’s name. Really there’s no way to effectively shut it down.’” Another problem is even finding out your identity has been stolen. According to Pam Dixon, founder of World Privacy Forum, “the fractured nature of the health care system makes medical identity theft hard to detect. Victims often don’t find out until two years after the crime, and cases can commonly stretch out a decade or longer”. Banks and other institutions are used to dealing with identity theft, but the medical industry isn’t equipped to handle this kind of infringement.

Two University of Miami Hospital Employees May Have Stolen & Sold Patient Data

To view the full Miami Herald article, please visit: Two University of Miami Hospital Employees May Have Stolen & Sold Patient Data

Two hospital employees are accused of stealing thousands of “face-sheets” from the University of Miami Hospital over a 22-month period. These “face-sheets” included information such as name, address, reason for visiting, insurance policy number (note: Medicare and Medicaid use SSNs as insurance policy numbers), date of birth and the last four digits of the social security number. The employees have admitted to their improper conduct and were terminated immediately, but the lasting damage of the stolen information is still being addressed by the hospital and there is no information about how many of these sheets may have been taken. In a statement released released by the hospital, it was revealed that there is “no indication that medical records are at risk”.

Patient Trust in Confidentiality Affects Health Decisions

To view the full article by Pablo Valerio, please visit Enterprise Efficiency: Patient Trust in Confidentiality Affects Health Decisions

This article highlights a survey sponsored by FairWarning that looks at how “patient privacy considerations impact the actual delivery of healthcare” in the UK and US.

Key quotes from the story:

-“CIOs and healthcare providers need to ensure the best security, not only because it is the law, but because data breaches actually affect how honest a patient might be with a doctor and how quickly they will seek medical attention.”

-“It is not enough to comply with government regulations about data protection. If a data breach occurs patients are not going to check if the institution was following rules, they are going to blame their executives for allowing the breach to happen, regardless of the reasons.”

The survey, “UK: How Privacy Considerations Drive Patient Decisions and Impact Patient Care Outcomes; Trust in the confidentiality of medical records influences when, where, who and what kind of medical treatment is delivered to patients” cited in the article below compares attitudes about health information privacy in the UK and US.

Some key UK findings are:

-38.3 percent stated they have or would postpone seeking care for a sensitive medical condition due to privacy concerns

-More than half of patients stated that if they had a sensitive medical condition, they would withhold information from their care provider.

-Nearly 2 out of 5 stated they would postpone seeking care out of privacy concerns.

-45.1 percent would seek care outside of their community due to privacy concerns

-37 percent would travel… 30 miles or more, to avoid being treated at a hospital they did not trust

US vs UK patients:

-UK patients are almost twice as likely to withhold information from their care provider…if they had a poor record of protecting patient privacy.

-4 out of 10 UK patients versus nearly 3 out of 10 US patients … would put off seeking care … due to privacy concerns.

-97 percent of UK and US patients stated chief executives and healthcare providers have a legal and ethical responsibility to protect patients’ medical records from being breached.

Attackers Demand Ransom After Encrypting Medical Center’s Server

To view the full article by John E. Dunn, please visit CIO: Attackers Demand Ransom After Encrypting Medical Center’s Server

What happens to patients when their doctors can’t get their records because thieves encrypted them? Federal law has required strong health data security protections since 2002, but 80% of hospitals and practices don’t encrypt patient data. If The Surgeons of Lake County had been following the law and encrypted their records, this attack could not have happened.

Health Care Reform: Let’s Not Forget Privacy And Data Security

See the full article at Forbes.com: Health Care Reform: Let’s Not Forget Privacy And Data Security

The Affordable Care Act poses many new threats to patient privacy due to an already over loaded health care system. The influx of new consumers in this market will cause much stress on the already insufficient data privacy infrastructure. Bob Gregg, guest writer for Forbes.com, explains the strains and consequences caused by this new legislation.

“The Supreme Court’s decision to uphold the Affordable Care Act could guarantee health insurance coverage for the majority of the 50 million Americans who are now uninsured. While laudable in theory, this legislation doesn’t account for the strain these millions of new patients will have on an already overburdened healthcare ecosystem, especially when it comes to patient privacy and data security.”

Mr. Gregg looked to Patient Privacy Rights’ own founder, Dr. Deborah Peel, to explain what kind of ramifications this act will have for patients and their data privacy.

“My friend, Dr. Deborah Peel, founder of Patient Privacy Rights, tells me that “patients have no control over who sees or sells personal health information. Our health data is held in hundreds or thousands of places we have never heard of because of hidden data flows.” Thousands of people, including researchers and government agencies, she says, have easy access to this information.”

The article goes on to list the four major issues this new burden on the health care system will cause and how it will affect consumers. The bottom line, he says, is “…The Affordable Care Act is designed to make healthcare available to the masses. But that availability comes at a price. Healthcare providers will have to shift tight budgets toward patient care and away from protecting patient privacy, leaving Americans vulnerable to the increasing frequency and cost of data breaches, medical identity theft, and fraud. Combine that with the HITECH Act, federal legislation that pushes healthcare providers into adopting EHR systems, and you have a perfect storm for unintended consequences surrounding patient privacy and data security.”

For even more information on how you can help keep patient data private visit our International Summit on the Future of Health Privacy website.

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

See the full article at ProPublica.org: How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

Sobering.  Silicon Valley decides what privacy rights we have online, in clouds, in electronic health systems, in apps, on social media, and on mobile devices. Our fundamental Constitutional rights to privacy—to control personal information about our lives, minds, and bodies—is defended by lone grad students, European Data Commissioners, a few small privacy advocacy organizations, the FTC, and a handful of whistleblowers.

A PREDICTION: Selling intimate cyber-profiles will end when the public discovers that NOTHING about their minds and bodies is private.

The lack of control over sensitive health data will be the nation’s wake-up call to rein in Silicon Valley and restore the right to be ‘let alone’. See: Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 572 (1928) (Brandeis J., dissenting).

  • Cyber-profiles of our minds and bodies contain far more sensitive information than mothers, lovers, friends, Rorschach tests, or psychoanalysts could ever reveal.
  • “If you are not paying for it, you’re not the customer; you’re the product being sold”, see Andrew Lewis at: http://www.metafilter.com/user/15556.
  • 35-40% of us are “Health Privacy Intense”—-a very large minority; see Westin’s keynote slides from the 1st International Summit on the Future of Health Privacy:http://tiny.cc/9alvgw

THE TIPPING POINT will be when the public discovers that electronic health systems facilitate cyber-theft, data mining, data sales, ‘research’ without consent, and allow thousands of strangers to snoop in millions of patient records (think George Clooney and more: http://www.foxnews.com/story/0,2933,348988,00.html).

Health data is the most sensitive personal information on Earth. Everything from prescription records to DNA to diagnoses are HOT BUTTONS.

Instead of enabling patients to decide which physicians or researchers they want to see their health records, corporate and government data holders decide who can use and sell Americans’ sensitive health data—-upending centuries of law and ethics based on the Hippocratic Oath, which requires physicians to ask consent before disclosing any information.

The Rising Risk of Electronic Medical Records

See the full story at SmartPlanet: The Rising Risk of Electronic Medical Records

This story quotes Lee Tien, Bob Gellman, and me about health information technology, which prevents us from controlling who can see, use, or sell our electronic health data by design—-placing everyone in the nation at risk of job and credit discrimination based on health data.  Current technologies make hidden data flow easy, with no way for patients to opt-out or prevent personal data from flowing to an unlimited number of hidden corporate, government, for-profit research and data analytics users.

“Criminals can buy social security numbers online for about $5 each, but medical profiles can fetch $50 or more because they give identity thieves a much more nuanced look into a victim’s life, said Dr. Deborah Peel, founder of the advocacy group Patient Privacy Rights, which researches data breaches and works for tighter security on people’s personal health records.”

Discrimination causes millions to avoid medical treatment every year. It’s a fact of life with paper medical records too. But electronic health systems enable thousands of strangers to simultaneously access the records of millions of patients, so the theft, sale, and misuse of health data for discrimination, fraud, ID theft, and medical ID theft has skyrocketed. In paper records systems, patient files are kept in locked rooms or filing cabinets, making it hard to use or steal more than a few at a time. Anti-discrimination laws alone aren’t effective—we also need to know who has copies of our health data and be able to control who gets them.

““If the information leaked to an employer, it would have affected their jobs or reputations. All the time I’ve been practicing, it’s been a very important and delicate issue,” Peel said. “There are prejudices associated with psychiatric diagnoses. People have powerful reactions to the names of these things.” … Once genetic profiles are routinely added to the mix, access to electronic health data may predetermine who can get jobs or serve in public office, Peel warned… “If the world looked like that,” Peel said, “Lou Gehrig would never get a contract to be a ball player if the team knew he had a disease that would degenerate his muscles, or Ronald Reagan would never get elected president if they knew dementia ran in his family.””

Strong new laws are needed to prevent our health data from being used or sold without consent.  We should also have a complete ‘chain of custody’, naming every person and organization that has seen or copied our health information. Without these new legal rights, it’s impossible to decide whether the benefits of using health IT outweigh the risks to our future jobs and opportunities, to our kids’ future jobs and opportunities, and to our grandkids’ and relatives’ future jobs and opportunities.

FYI—HIPAA has NOT protected health data privacy since 2002, it is really a ‘Disclosure’ Rule, not a ‘Privacy’ Rule. See how consent, the right to control who can see and use your health information, was eliminated: http://patientprivacyrights.org/media/The_Elimination_of_Consent.pdf

BOTTOM line: existing technology solutions that enable us to control who sees our records are not required. Instead, the stimulus billions are being used to buy ‘Model T Fords’ that prevent patient control over personal data. Government and corporations (inside and outside healthcare) don’t want to ‘ask first’ before taking our most sensitive personal information.

Help build a map to show where health data flows:  Sign up to be a data detective and contribute to mapping the hidden flows of Americans’ health data at: theDataMap.org. A map of health data flow will prove Congress should act NOW to restore personal control over health data.

Can Privacy & Electronic Medical Records Coexist? — Quotes PPR

An article written at Pacific Standard discusses the struggle to maintain patient privacy when electronic health records are becoming the norm. To view the full article, please visit Can Privacy & Electronic Medical Records Coexist?.

A few key quotes from the story:

“…researchers have to figure out how to digitize some of your most sensitive personal information to make it easily accessible to you and your doctors without compromising your privacy before the many other parties who might also like to peek at this data. Researchers lament that it’s currently impossible to track all of the places your digital medical information travels once you leave the doctor’s office. Certainly, pieces of it are shared with your doctor’s office, your doctor’s hospital, your insurance company, your pharmacist and the pharmaceutical company that makes your medicine. Your personal information may also be anonymized and aggregated with other patients to produce data sets used by researchers or traded on the commercial market.”

“Researchers and industry innovators gunning for that 2014 deadline have to figure out how to set all of this information free — when it comes to maximizing the benefit to you as a patient — while, on the other hand, keeping it under some kind of control. And it’s not entirely clear how that architecture might look.”

“‘My big fear is that if we don’t build these systems right, people won’t see doctors,’ said Deborah Peel, the executive director of Patient Privacy Rights and the moderator of the conference discussion.”

20 Million Affected by Health Breaches

See full story at Govinfosecurity.com: 20 Million Affected by Health Breaches

“The federal tally of individuals affected by major healthcare information breaches since September 2009 now exceeds 20 million. But two recently reported major incidents, estimated to have affected a combined total of more than 675,000, have yet to make the list, which now includes 435 incidents.

As of May 23, the breach list includes 29 incidents in 2012 affecting a total of about 935,000. By far the largest of those breaches is a Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children’s Health Insurance Plan recipients and others.”

Targeted attacks cost companies an average of $200k

See the full article at SC Magazine: Targeted attacks cost companies an average of $200k

It always costs more to repair than to prevent. The curious thing is that federal law mandated basic security protections in HIPAA, but industry never bothered because the law was never enforced.

Here we are 12 years after the HIPAA Privacy Rule was implemented:

· the Coalition for Patient Privacy got MUCH tougher security rules and enforcement into HITECH

· breaches are rampant

· 80% of hospitals still don’t encrypt data

What’s wrong with this picture? Register for the 2nd International Summit on the Future of Health Privacy June 6-7 in Washington, DC–attending or watching via live streamingvideo is free: http://tiny.cc/p4fqew Security technologies are critical for privacy—see top US computer scientists discuss “ideal” technologies for health data privacy and security.