Kaiser Had Malware on Server for 2.5 Years

By Joseph Goedert | April 8, 2014 | HealthData Management

The Northern California division of Kaiser Permanente is notifying about 5,100 patients that protected health information was on a server found in February 2014 to be infected with malicious software.

In a letter to patients, the organization says it believes the server was infected in October 2011. Kaiser removed the server–used to store research data–and confirmed other servers were not affected and appropriately secured. “We currently have no information that any unauthorized person accessed the information on the server,” according to the patient letter. “However, the malicious software broke down the server’s security barriers so we are investigating and responding with a very high level of caution and concern. We are very sorry that this happened.”

Information on the server included patient name, date of birth and gender, and also may have included address, race-ethnicity, medical record number, lab results associated with research, and patient responses to questions related to research studies in which they participated. Social Security numbers and data from Kaiser’s electronic health record were not held on the server.

(See also: Top 6 Threats to Enterprise Security)

The new breach soon will be listed on the HHS Office for Civil Rights’ website of major security breaches affecting 500 or more individuals, and it will be Kaiser’s fourth posting on the site.

In late 2013, a missing flash drive from the nuclear medicine department at Anaheim Medical Center resulted in notifications sent to about 49,000 patients. Also in 2013, Kaiser notified 647 patients after learning of unauthorized access/disclosure of the EHR. In late 2009, the organization notified about 15,500 patients following the theft of an electronic portal device.

 

 

 

Don’t Let EHR Vendors Own Your Data

“In a recent blog posting, John Moore and Rob Tholemeier of Chilmark Research ask the question: ‘Who’s Data is it Anyway?’ Your electronic health records data is not the property of your vendor and there are things you can do about it, they contend.”

To view the full article, please visit: Don’t Let EHR Vendors Own Your Data

First HIT Policy Committee Meeting on Stripping Privacy Away?

No surprise the new HIT Policy committee is gearing up to eliminate privacy, i.e. patient control over personal health information, using the excuse that the entire nation’s records are needed for biosurveillance and research without informed consent. See the quotes from Drs Calman and Clark. The title of the article says it all: “Committee studies public health, research“.

The committee is dominated by industry appointees who will make sure the policies they come up with grant unfettered government and industry access to Americans’ most sensitive personal data, from prescriptions to DNA.

What they don’t get is they will lose the public’s support and trust if they build a system where everyone’s health records can be data mined for any research purpose. A Westin/Harris IOM poll found only 1% of the public would allow researchers unfettered access to their electronic medical records. The government and the research community are completely at odds with the public’s rights to health privacy.

The reality is millions of Americans already refuse to participate in healthcare systems that harm them because they have no control over their medical records.

HHS noted in the Preamble to the HIPAA Privacy Rule that 600,000 Americans/year avoid early diagnosis and treatment for cancer because treatment records are not private private. Two million people/year with mental illness avoid diagnosis and treatment for the same reason: their records are not private. The Rand Corporation found that 150,000 Iraqi vets refuse treatment for PTSD because their treatment is not private, resulting in the highest rate of suicide in active duty military personnel in 30 years.

Can this commitee face reality when they have severe conflicts of interest and want the use of Americans’ health data?

The lack of privacy drives millions away from healthcare. And the lack of privacy causes suffering and death–bad outcomes.

It looks like patients’ and consumers’ best hope for preserving their health privacy rights in electronic systems may be Gayle Harrell. She may be the only committee member who can face reality.