Texas Error Exposed Over 13 Million Voters’ Social Security Numbers

See the full article in DataBreaches.net: Texas Error Exposed over 13 Million Voters’ SSNs

This story shows it’s easy to disclose the social security numbers of 13 million people at once. The data came from Texas’ voter registration data base, which was attached to a court report, BUT security breaches of the personal health information of millions of patients is also very common (see recent Utah and BCBS of TN breaches). Today’s electronic systems enable many new ways to breach data security and expose personal information.

The story below is about a government employee who attached over 13 million SSNs to a report and sent it to a 3rd party without anyone else reviewing his/her actions before the data was disclosed.  Where should the bar be set for disclosing personally identifiable information in any report?  At 1 million records? At 100 million records?

Most of the US health care system lacks effective protocols and procedures to protect data security and to prevent inappropriate data release and data breaches. Health data privacy and security require comprehensive and meaningful protections. We have a long way to go. Vastly expanding health IT systems before these problems are solved is a prescription for more data

Patient ID information stolen at Memorial hospitals

See full story in the SunSentinel: Patient ID information stolen at Memorial hospitals

“Patients of Memorial hospitals in south Broward County had their identities stolen by employees who wanted to use the information to make money filing phony tax returns, Memorial officials said Thursday.

Two employees have been fired and are under criminal investigation by federal agents for improperly gaining access to the patients’ information, said Kerting Baldwin, a spokeswoman for tax-assisted Memorial Healthcare System, parent of five Memorial hospitals.

Memorial sent letters Thursday to about 9,500 patients whose identities may have been exposed by the two employees. Baldwin could not say how many of the 9,500 identities were stolen or whether any of them were misused to file false tax returns.”

Health privacy issues can be resolved without obstructing care

See full article in FierceHealthIT: Health privacy issues can be resolved without obstructing care

Ken Terry writes about the big issues with patient privacy today and possible solutions.

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices.
Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.”

PPR in the Wall Street Journal

The Journal Report of The Wall Street Journal featured Patient Privacy Rights’ founder in a debate about Unique Patient Identifiers (UPIs). Deborah C. Peel, MD, founder & chair of Patient Privacy Rights, opposes UPIs, pointing out there are better electronic records systems that allow patients to control data exchanges for treatment and other approved uses.

You can read both sides of the debate at this link: “Should Every Patient Have a Unique ID Number for All Medical Records?”

While voting remains open, the scores have remained fairly static over the past month showing a clear victory. Deborah Peel, MD has won the debate for Patient Privacy Rights, exposing the dangers of UPIs in electronic health record systems. If you have not already, you can still vote “No” to UPIs, and help protect patients, privacy, and progress toward patient-controlled electronic health records. If you are in the main article, voting takes place on the left side of the screen below the picture of Michael Collins. You can also use this direct link to vote after reviewing the full debate.

To dispel the myths of UPIs:

  • Trying to separate UPIs from financial records would be like trying to separate SSNs from everything they have been linked to, including medical records!
  • UPIs will give government, industry, data miners, and others greater ability to collect all health information on individuals. Imagine giving everyone a unique financial identifier that they would use for all credit cards, banks, retailers, and other financial institutions. Would you feel your money was secure?
  • A surprising amount of patients already do not trust a paper-based system, and fear for their privacy even more with expanding Health IT. Having a UPI takes away the idea of patient control and consent, creating one very easy and obvious way for anyone with the means necessary to look up a patient’s full health record. Patients will only accept a system they can control.

We do our work to improve health care by protecting patient privacy. We encourage you to protect your own privacy rights by voting now.

Physician’s computers were stolen

See the full story from MySanAntonio.com: “Physician’s computers were stolen

“Five computers containing medical and personal information of more than 3,000 patients were stolen from a Stone Oak physician’s office in October.

Dr. Sudhir Gogu of the Stone Oak Urgent Care & Family Practice said the computers were stolen after an office door had been pried open sometime during the weekend of Oct. 22-23, according to the police report.

A San Antonio Police Department spokesman said in an email Wednesday that the computers have not been recovered and there have been no arrests…

…Dr. Deborah Peel, founder and chairman of Patient Privacy Rights, an organization focused on putting people in control of their electronic health information, called medical identity theft a dangerous crime.

“It typically costs the average victim at least $20,000, and health plans typically increase your premiums … or may even cancel your coverage,” Peel said.

Peel criticized the health industry for failing to taken data protection seriously.

“It’s estimated that 80 percent of hospitals don’t encrypt data,” she said. “Can you imagine if your banks didn’t encrypt and keep your financial information secure? We wouldn’t even let them be banks.””

The Case for Informed Consent

Austin, TX — Patient Privacy Rights (PPR), the nation’s leading health privacy watchdog released a white paper entitled, “The Case for Consent: Why it is Critical to Honor What Patients Expect: for Health Care, Health IT and Privacy.” The paper is designed to be a primer on health privacy and argues that the primary stakeholder in health care, the patient, must retain control over their personal health information. The white paper is available online at http://patientprivacyrights.org/wp-content/uploads/2010/08/The-Case-for-Informed-Consent.pdf.

The white paper tackles the arguments made that patient control is too technically difficult, is too expensive, or is too complex, among others. In fact, robust privacy-enhancing technologies are in use now that ensure both progress and privacy. Technology can enable control over personal health information today and likely simplify our systems and lower costs.

“Patients know what they want,” says Patient Privacy Rights’ founder, Deborah Peel, MD. “It is a mistake to design health IT in a paternalistic manner — assuming a corporation, vendor, provider or government agency knows what is best for each individual patient.”

View the white paper: The Case for Informed Consent

EMR Data Theft Booming

Acceleration in the use of electronic medical records may lead to an increase in personal health information theft, according to a new study that shows there were more than 275,000 cases of medical information theft in the U.S. last year.

Unlike stealing a driver’s license or a credit card, data gleaned from personal health records provides a wealth of information that helps criminals commit multiple crimes, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm.

Sheriff: ID theft ring pilfered files at NU physicians’ group

They boasted of their purchases in Facebook photos that showed them flashing shiny jewelry while eating at Ruth’s Chris Steakhouse in their brand-name outfits — the tags still attached, authorities said.

In what Cook County Sheriff Tom Dart described as a “sophisticated identity-theft ring,” a janitor stole data from as many as 250 patient files at a Northwestern University physicians’ group and, with the help of her two sisters and friends, used the personal information to charge more than $300,000 in jewelry, furniture, appliances and electronics. They sold the goods to friends and relatives, pocketing the profits, the charges alleged.

Seven suspects have been arrested, while three others, including janitor Tijuana Leonard, are wanted on felony warrants, according to the sheriff’s office.

“They had it down to a science,” Dart said. “They performed it like a job.”

While working the night shift for Millard Cleaning Service, Leonard, 33, of Chicago, stole personal information from patient files in the Northwestern Medical Faculty Foundation’s offices and passed it along to others, Dart said.

Hospital Workers Sharing Music? They May Also Be Sharing Your Medical Records

Health care workers using Gnutella or other peer-to-peer (P2P) networks to share music and video, may be putting you at risk for medical identity theft, Dartmouth researchers find.
If Pres. Obama has his way, the medical records of every American will be digitized by 2014. The stimulus package (read the text here) includes $19 billion in funding to pay for the effort and calls for the appointment of a chief privacy officer to advise the U.S. Department of Health and Human Services on how best to protect this sensitive information. If a new study of how easily your medical records can be found online by others is any indication, the new chief privacy officer (to be appointed over the next 12 months) will have his work cut out for him because an increase in digital medical records would likely mean an increase in medical identity theft.
Using software written specifically for scanning Internet-based peer-to-peer (P2P) file sharing networks, Eric Johnson, an operations management professor at Dartmouth College’s Tuck School of Business in Hanover, N.H., and colleagues recently found confidential medical files, involving thousands of people, including patient billing records and insurance claims containing Social Security numbers, birth dates, medical diagnoses and psychiatric evaluations. (The same type of information could have been found without the special search software, although not as quickly because the researchers would have had to search individual computers on each of the P2P networks they visited.)

Uncovering the identity trade business

When Brandon Michael rolled up a storage-unit door in Denver on New Year’s Day to sort through the contents he had just purchased at an auction, the young man expected to find the usual items he could later sell on Craigslist or eBay: tools, laptops and furniture. Instead, Michael discovered boxes, filing cabinets and trash bags full of hundreds of U.S. passports, birth certificates, driver’s licenses, Social Security cards and other documents — most stolen within the past two years.

He found St. Anthony Central Hospital records containing dates of birth, Social Security numbers and copies of the driver’s licenses of 150 patients who had been admitted into the emergency room or general surgery.

He found drug paraphernalia, pills and the printer used to make counterfeit documents.

“That’s not right that somebody has all this stuff,” Michael said.

“It’s the mother lode of identity theft,” said Sgt. Ryan McGinty of the Denver police check fraud and forgery unit.

Michael’s discovery has prompted investigations by Denver police, Centura Health and the U.S. Department of Health and Human Services’ Office for Civil Rights.