Kaiser Had Malware on Server for 2.5 Years

By Joseph Goedert | April 8, 2014 | HealthData Management

The Northern California division of Kaiser Permanente is notifying about 5,100 patients that protected health information was on a server found in February 2014 to be infected with malicious software.

In a letter to patients, the organization says it believes the server was infected in October 2011. Kaiser removed the server–used to store research data–and confirmed other servers were not affected and appropriately secured. “We currently have no information that any unauthorized person accessed the information on the server,” according to the patient letter. “However, the malicious software broke down the server’s security barriers so we are investigating and responding with a very high level of caution and concern. We are very sorry that this happened.”

Information on the server included patient name, date of birth and gender, and also may have included address, race-ethnicity, medical record number, lab results associated with research, and patient responses to questions related to research studies in which they participated. Social Security numbers and data from Kaiser’s electronic health record were not held on the server.

(See also: Top 6 Threats to Enterprise Security)

The new breach soon will be listed on the HHS Office for Civil Rights’ website of major security breaches affecting 500 or more individuals, and it will be Kaiser’s fourth posting on the site.

In late 2013, a missing flash drive from the nuclear medicine department at Anaheim Medical Center resulted in notifications sent to about 49,000 patients. Also in 2013, Kaiser notified 647 patients after learning of unauthorized access/disclosure of the EHR. In late 2009, the organization notified about 15,500 patients following the theft of an electronic portal device.

 

 

 

Privacy Tools: Opting Out from Data Brokers

By Julia Angwin
ProPublica, Jan. 30, 2014

Data brokers have been around forever, selling mailing lists to companies that send junk mail. But in today’s data-saturated economy, data brokers know more information than ever about us, with sometimes disturbing results.

Earlier this month, OfficeMax sent a letter to a grieving father addressed to “daughter killed in car crash.” And in December, privacy expert Pam Dixon testified in Congress that she had found data brokers selling lists with titles such as “Rape Sufferers” and “Erectile Dysfunction sufferers.” And retailers are increasingly using this type of data to make from decisions about what credit card to offer people or how much to charge individuals for a stapler.

During my book research, I sought to obtain the data that brokers held about me. At first, I was excited to be reminded of the address of my dorm room and my old phone numbers. But thrill quickly wore off as the reports rolled in. I was equally irked by the reports that were wrong — data brokers who thought I was a single mother with no education — as I was by the ones that were correct — is it necessary for someone to track that I recently bought underwear online? So I decided to opt out from the commercial data brokers.

View the full article here, Privacy Tools: Opting Out from Data Brokers and get a list of the names of companies that track your information, links to their privacy pages, and instructions on how to opt out.

 

 

WPF Report — Paying out of Pocket to Protect Health Privacy: A New but Complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure

San Diego & Washington, D.C. — The World Privacy Forum published a new report today that helps patients understand and use the new HIPAA right to restrict disclosure of their medical information to health plans when treatment is paid for out of pocket in full. The report contains practical advice and tips for patients about how to navigate the new right, which went into effect last year. Paying Out of Pocket to Protect Health Privacy: A New But complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure is one of the first reports on this topic written for patients.

“The new HIPAA right that lets patients restrict disclosures of their health information is actually not well known yet, and that needs to change,” said Pam Dixon, Executive Director of the World Privacy Forum. “This report has specific, concrete tips and information that will help patients use this important new right.” The report, written by Bob Gellman and Pam Dixon is available free of charge at www.worldprivacyforum.org.

Key points:

  • A patient has the right to prevent a health care provider from reporting information to a health insurer if the patient pays in full.
  • In order to prevent disclosure of information to a health plan, patients must make a Request to Restrict Disclosure.
  • Under the new changes to HIPAA, a patient has the firm right to demand, not just request, that a provider not disclose PHI to a health plan when certain conditions are met.
  • The conditions to be met can be complex, and work best with some advance planning.

Additional tips are in the report.

The bipartisan Coalition for Patient Privacy worked to get this key consumer protection into HITECH.

Bob Gellman and Pam Dixon are available to discuss tips and advice for patients on how to use the new HIPAA right.

Links:

The report Paying Out of Pocket to Protect Health Privacy: A New But complicated HIPAA Option; A Report on the HIPAA Right to Restrict Disclosure is available in PDF or in text.

Permalink: http://www.worldprivacyforum.org/2014/01/wpf-report-paying-out-of-pocket-to-protect-health-privacy/

Contact:

Bob Gellman 202-543-7023

Pam Dixon 760-712-4281

info@worldprivacyforum.org

Dr. Peel at Authors’ Roundtable at HIMSS 2013

Dr. Deborah Peel, PPR Founder & Chair, will join her co-authors to talk about pressing privacy issues raised in HIMSS’s just released book, Information Privacy in the Evolving Healthcare Environment. As a co-author, Dr. Peel’s contributing chapter discusses patients’ rights to privacy and consent and outlines the auditable criteria of PPR’s Trust Framework, which includes 15 clear principles to ensure meaningful consent within all electronic systems.

Purchase the book here.

Restoring patient control over PHI will be a key topic discussed, with additional focus on the technologies and laws needed to address the gaps and flaws in the Omnibus Privacy Rule.

Date: Tuesday, March 5, 2013
Time: 11:00 AM CT
Where:
HIMSS 2013 Annual Conference and Exhibition
Room 213
New Orleans Ernest N. Morial Convention Center
900 Convention Center Boulevard
New Orleans, Louisiana

An advocate for patients’ rights to health privacy since 2004, when she formed PPR, Dr. Peel has led the charge for more stringent data privacy and security protections, as well as tough new enforcement and penalties for violations that were included in the January 2013 release of the Omnibus Privacy Rule.

Re: Federal Agencies Paint Regulatory Landscape with Broad Brushstrokes

The Genomics Law Report (GLR) posted an interesting blog about the emergence of mobile health (mHealth) and the role many believe it could play in improving the quality and delivery of health care. It discusses how the mHealth regulatory landscape is still in its early stages of formation and has many key players and components that will help guide its development. It then outlines many of the players, such as the FDA, FCC, FTC, and HHS, and the various ways in which each organization might help shape the future of mHealth.

The story also makes mention of the FTC’s “privacy by design” recommendation for mobile applications, which is undoubtedly a critical component to protecting patients’ privacy as more innovative technologies and apps hit the marketplace. However, aside from ensuring that strong privacy controls are built into the apps up front, it will also be important to make sure patients have other important privacy protections, like control over their sensitive health information, no matter the medium used to collect and share it.

To read the full blog from GLR, click here.

Re: “Web’s Hot New Commodity: Privacy”

In response to the WSJ article: Web’s Hot New Commodity: Privacy

Finally the market for digital privacy is being built! This reflects GROWING public awareness of data theft and misuse.

Yes, PPR will continue to call it “theft”. Data mining corporations are like squatters who sneak onto property and then claim it because the owners didn’t know what they were doing. Data miners are thieves because they know VERY well how hard it is for people to discover what they are doing, and further, they know that there is no way anyone can stop them from stealing personal information. Watch — as ways to protect personal data are developed and laws are proposed to prohibit what they do, they will try to make sure their illegal and unethical practices are “grandfathered in.” These practices must be outlawed in the Digital Age if Americans are to retain the most precious right in a Democracy: the right of law-abiding citizens to be “let alone.”

We must fight back and press Congress to outlaw all data theft and corporate contracts that require giving up control of personal information. We must press Congress to ENFORCE the ban on the sale of health data without consent.

It is now clear to entrepreneurs that people are starting to view personal information as an EXTREMELY valuable asset that many want to have treated as personal property. The fact that the nation’s prescription records were being sold without consent is why Congress banned the sale of protected health information (PHI)—-OUR sensitive electronic health information—without consent in the stimulus bill.

There are many who fear that patients cannot meaningfully give consent to sell their health data; that they will easily sell it for next to nothing and not realize the consequences—such as job loss and generations of job and credit discrimination.

But the current situation is far worse and must be addressed: the huge health data mining industry operates in the shadows. AND we have NO WAY of identifying or preventing data mining corporations from stealing and selling our most sensitive data—from prescriptions to DNA. This secret industry is a behemoth, generating tens to hundreds of billions of dollars in annual revenue.

Letting secret, shadowy corporations continue to make billions/year selling the sensitive personal health data of every person in the U.S. is NOT a fair or sustainable solution to corporate and government data hunger. Why allow any industry built on theft? I can’t think of another legal industry built on theft.

Individuals should control PHI; morally and practically it is the only solution. But we need clear laws and boundaries in addition to individual control (consent), so that there are boundaries around exactly what data can be sold or used.

In Europe most uses of health data are flatly prohibited; in Germany there is no consent, but instead only a handful of uses of health data are permitted—the uses are tightly bounded. This is a very different approach than the US.

We ALSO need a framework of tightly bounded privacy protections for health data (in addition to informed electronic consents) that provides interactive education about consent decisions and sets defaults at the most privacy-protective level.

New Patient Privacy Poll

Should anyone other than you control your personal health information in electronic health systems? Across the board, Americans resoundingly say “NO.”

Patient Privacy Rights worked with Zogby International to conduct an online survey of over 2000 adults to identify their views on privacy, access to health information, and health information technology (health IT). The results were overwhelmingly in favor of individual choice and control over personal health information.

View the Privacy Poll Results
View the Press Release
Listen to the Press Teleconference here

News Coverage
Healthcare IT News: Poll: Huge majorities want control over health info
Forbes: Americans Want to Control Their Health Information
Fierce Health IT: Majority of Americans want personal control of health information
Modern Healthcare: Privacy desires ignored

Americans are not just concerned about corporations snooping in their medicine cabinets, but also about researchers, nosy employees, and people with malicious intent, such as an ex-spouse or abusive partner.

Over ninety percent of Americans want to be able to decide which individual people can see and use their health information. This reflects a strong desire for very specific, detailed control.

Note: A sampling of Zogby International’s online panel, which is representative of the adult population of the US, was invited to participate. Slight weights were added to region, party, age, race, religion, gender,
education to more accurately reflect the population. The margin of error is +/- 2.2 percentage points.

Privacy desires ignored

For psychiatrist Deborah Peel, maybe patient privacy and patient consent aren’t identical twins, but they’re sure close relatives.

Not surprisingly, a recent Zogby International poll commissioned by Peel’s not-for-profit Patient Privacy Rights Foundation, Austin, Texas, focuses on patient consent and its relationship to privacy—a unity the federal government has chosen to either ignore or deny.

The 2,000 adult poll respondents reached by Zogby via the Internet put great store in their right to privacy. They cling to the quaint notion that they should be asked before their electronic health records are sent skittering off to unknown users for unknown purposes. See full poll results here.

Silly them.

HHS rulemakers wrote away a key right to privacy eight years ago.

An HHS revision to the Health Insurance Portability and Accountability Act privacy rule in 2002 stripped away one of the broader authorities giving patients the right to control the flow of their medical information. HHS rulemakers did it by eliminating the right of consent. They took a stringent privacy protection rule and transformed it into a disclosure rule.

There are a lot of bright folks who have warned HHS that this privacy issue broadly—and this HIPAA privacy rule revision, specifically—are going to explode on the healthcare industry. One of the more insistent voices has been Peel’s, but she by no means alone.

Majority of Americans want personal control of health information

It’s hard to get Americans to agree on much these days, but overwhelming majorities seem to want control over their own electronic health information.

A poll from Dr. Deborah Peel’s Patient Privacy Rights Foundation and Zogby International found that 97 percent of the more than 2,000 U.S. adults surveyed believe that hospitals, physicians, laboratories and IT vendors should not be allowed to sell or share “sensitive health information” without consent. Ninety-eight percent are opposed to health insurance companies marketing personal health information, according to the survey.

See full poll results here.

Americans Want to Control Their Health Information

Health privacy watchdog Patient Privacy Rights and Zogby International surveyed 2,000 people, and found that almost all object to doctors, hospitals, and insurance companies sharing or selling their information without their consent. An overwhelming majority also wants to decide not only which companies and government agencies can access their electronic health records, but which individuals.

See the Survey Results

Hospitals and doctors are currently busy implementing the first stage of requirements under the HITECH Act, which calls for providing patients within the next two years with an electronic copy of their physical, test results, and medications. Ultimately, patients should be able to access their electronic health record online.