Re: Celebrity Credit Reports and more, hacked

Multiple celebrities have had their personal information hacked and posted online recently, and this is nothing new. We’ve seen breaches of health information of celebrities in the past, and this will continue to happen, even when privacy and security is a top priority as it is in financial institutions and credit bureaus.

It is critical that privacy be the foundation in Health IT, or Americans’ health information will be the most valuable and available information on the market.

From the Fast Company Article: Michelle Obama’s Credit Report Hacked

“Three of the major credit agencies were hacked and information about Michelle Obama, Beyonce and numerous other celebrities has been leaked on an unnamed website, gossip site TMZ first reported on Tuesday.

Experian, TransUnion, and Equifax confirmed to Bloomberg News that they had found cases where information had been accessed unlawfully by hackers.”

Web Site Investigated for Posting Private Data

“WASHINGTON — Law enforcement officials said on Tuesday that they had opened an investigation into a Web site that posted the home addresses, Social Security numbers and other personal information for more than a dozen celebrities and politicians, including Vice President Joseph R. Biden Jr., Michelle Obama and Jay-Z.

“At this point, we are trying to determine the sourcing of this and the validity of the stuff that is being posted,” said a senior federal law enforcement official.

The investigation is being led by the Federal Bureau of Investigation, the Secret Service and the Los Angeles Police Department, law enforcement officials said.”

Should the U.S. Adopt European-Style Data-Privacy Protections?

You can read more of the Wall Street Journal debate between Joel R. Reidenberg (Yes) & Thomas H. Davenport (No) here: Should the U.S. Adopt European-Style Data-Privacy Protections?

This urgent issue will be debated at the 3rd International Summit on the Future of Health Privacy in Washington, DC on June 5-6, 2013 at Georgetown Law Center.

The opening keynote will be Peter Hustinx, the EU Data Protection Supervisor: A health check on data privacy”

Register to attend at www.healthprivacysummit.org .

UPMC, Oracle to help with ID management

To view the article, please visit UPMC, Oracle to help with ID management.

UPMC revealed plans on Thursday to collaborate with Oracle in the development of cloud-based identity management technology to be utilized by small to mid-sized healthcare providers.

According to the article, “CloudConnect Health IT will enable healthcare users to easily manage computer accounts, including adding, modifying and terminating a user’s computer access, officials say. They’ll also help providers manage access based on the user’s job responsibility and provide self-service tools for retrieving forgotten passwords and unlocking accounts, as well as offer comprehensive management reporting.”

This poses a problem because, as Adrian Gropper, MD, points out “Proprietary identity systems risk being coercive of the patient to the extent that they allow aggregation of a patient’s records across multiple institutions without informed patient consent. Voluntary ID systems can be created that are not coercive while still offering the value of global uniqueness.”

Re: Web Privacy Becomes a Business Imperative

New York Times article Web Privacy Becomes a Business Imperative by Somini Sengupta discusses web privacy affecting businesses’ bottom line. As Mozilla’s Chief Privacy Officer says in the article:

“They’re asking for a different level of privacy on your service,” he said, “You have to listen to that. It’s critical to your business.”

Finally. More Internet companies are realizing the truth behind what PPR has said all along: products and services that don’t offer real privacy and security don’t fly with consumers. While some still may debate the exact meaning of “privacy,” what we consistently see is that consumers want to have control over what happens with their data. It’s about time we start listening to what the public wants and honor everyone’s right to be let alone as they see fit.

theDataMap™

theDataMap™ is an online portal for documenting flows of personal data. The goal is to produce a detailed description of personal data flows in the United States.

A comprehensive data map will encourage new uses of personal data, help innovators find new data sources, and educate the public and inform policy makers on data sharing practices so society can act responsibly to reap benefits from sharing while addressing risks for harm. To accomplish this goal, the portal engages members of the public in a game-like environment to report and vet reports of personal data sharing. More…

Members of the public sign-up to be Data Detectives and then work with other Data Detectives to report and vet data sharing arrangements found on the Internet. Data Detectives are responsible for content on theDataMap™.

See the debut of theDataMap™ from the “Celebration of Privacy” during the 2nd International Summit on the Future of Health Privacy here:

Nearly Half of U.S. Adults Believe They Have Little To No Control Over Personal Info Companies Gather From Them While Online

To view the full article, please visit Nearly Half of U.S. Adults Believe They Have Little To No Control Over Personal Info Companies Gather From Them While Online.

No surprise, 80% of US adults do NOT want targeted ads. 24% think they have no control over information shared online.

How will US adults feel when they learn they have no control over sensitive electronic health information? Despite the new Omnibus Privacy Rule,  there is still no way we can stop our electronic health records from being disclosed or sold.  The only actions we can take are avoiding treatment altogether or seeking physicians who use paper records and paying for treatment ourselves. No one should be faced with such bad choices. There is no reason we should have to give up privacy to benefit from technology.

Today, the only way to prevent OUR health information from being disclosed or sold to hidden third parties is to avoid electronic health systems as much as possible. That puts us in a terrible situation, because technology could have been used to ensure our control over our health data. The stimulus billions can still be used to build trustworthy technology systems that ensure we control personal health information. Institutions, corporations, and government agencies should not control our records and should have to ask us for consent before using our them.

Quotes:

  • -“45% of U.S. adults feel that they have little (33%) or no (12%) control over the personal information companies gather while they are browsing the web or using online services such as photo sharing, travel, or gaming.”
  • -“many adults (24%) believe that they have little (19%) to no (5%) control over information that they intentionally share online”
  • -“one-in-five (20%) said that they only minimally understand (17%), or are totally confused (3%) when it comes to personal online protection”
  • -“When asked under what circumstances companies should be able to track individuals browsing the web or using online services, 60% say this should be allowed only after an individual specifically gives the company permission to do so.”
  • -“Just 20% of adults say that they want to receive personalized advertising based on their web browsing or online service use, while the large majority (80%) report that they did not wish to receive such ads.”

Clouds in healthcare should be viewed as ominous- Quotes from Dr. Deborah Peel

A recent article in FierceEMR written by Marla Durben Hirsch quotes Dr. Peel about the dangers of cloud technology being used in healthcare. Dr. Peel tells FierceEMR that “There’s a lot of ignorance regarding safety and privacy of these [cloud] technologies”.

Here are a few key quotes from the story:

“It’s surely no safe haven for patient information; to the contrary it is especially vulnerable to security breaches. A lot of EHR vendors that offer cloud-based EHR systems don’t take measures to keep patient data safe. Many of them don’t think they have to comply with HIPAA’s privacy and security rules, and many of their provider clients aren’t requiring their vendors to do so.” (Hirsch)

“Many providers have no idea where the vendor is hosting the providers’ patient data. It could be housed in a different state; or even outside of the country, leaving it even more vulnerable. ‘If the cloud vendor won’t tell you where the information is, walk out the door,’ Peel says.”

“Then there’s the problem of what happens to your data when your contract with the cloud vendor ends. Providers don’t pay attention to that when they sign their EHR contract, Peel warns.”

“‘The cloud can be a good place for health information if you have iron clad privacy and security protections,’ Peel says. ‘[But] people shouldn’t have to worry about their data wherever it’s held.'”

OCR Could Include Cloud Provision in Forthcoming Omnibus HIPAA Rule

The quotes below are from an article written by Alex Ruoff in the Bloomberg Health IT Law and Industry Report.

“Deborah Peel, founder of Patient Privacy Rights, said few providers understand how HIPAA rules apply to cloud computing. This is a growing concern among consumer groups, she said, as small health practices are turning to cloud computing to manage their electronic health information. Cloud computing solutions are seen as ideal for small health practices as they do not require additional staff to manage information systems, Peel said.
Cloud computing for health care requires the storage of protected health information in the cloud—a shared electronic environment—typically managed outside the health care organization accessing or generating the data (see previous article).
Little is known about the security of data managed by cloud service providers, Nicolas Terry, co-director of the Hall Center for Law and Health at Indiana University, said. Many privacy advocates are concerned that cloud storage, because it often stores information on the internet, is not properly secured, Terry said. He pointed to the April 17 agreement between Phoenix Cardiac Surgery and HHS in which the surgery practice agreed to pay $100,000 to settle allegations it violated HIPAA Security Rules (see previous article).
Phoenix was using a cloud-based application to maintain protected health information that was available on the internet and had no privacy and security controls.

Demands for Guidance

Peel’s group, in the Dec. 19 letter, called for guidance “that highlights the lessons learned from the Phoenix Cardiac Surgery case while making clear that HIPAA does not prevent providers from moving to the cloud.”

Peel’s letter asked for:
• technical safeguards for cloud computing solutions, such as risk assessments of and auditing controls for cloud-based health information technologies;
• security standards that establish the use and disclosure of individually identifiable information stored on clouds; and
• requirements for cloud solution providers and covered entities to enter into a business associate agreement outlining the terms of use for health information managed by the cloud provider.”

Vast cache of Kaiser patient details was kept in private home

The excerpt below is from the LA Times article Vast cashe of Kaiser patient details was kept in private home by Chad Terhune. This shows both the negligence of Kaiser in caring for their patients, but also the lack of privacy and security that is frequently found in electronic health records.

“Federal and state officials are investigating whether healthcare giant Kaiser Permanente violated patient privacy in its work with an Indio couple who stored nearly 300,000 confidential hospital records for the company.

The California Department of Public Health has already determined that Kaiser “failed to safeguard all patients’ medical records” at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple’s document storage firm kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.

Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients’ names, Social Security numbers, dates of birth and treatment information stored on their home computers.

The state agency said it was awaiting more information from Kaiser on its “plan of correction” before considering any penalties.

Officials at the U.S. Department of Health and Human Services began looking into Kaiser’s conduct last year after receiving a complaint from the Deans about the healthcare provider’s handling of patient data, letters from the agency show. Kaiser said it hadn’t been contacted by federal regulators, and a Health and Human Services spokesman declined to comment.”