Steady Bleed: State of HealthCare Data Breaches — Comments

Comments on Information Week Article: Steady Bleed: State of HealthCare Data Breaches

This is a very ominous story. As every state rushes to connect offices and hospitals with weak security and privacy together to exchange data, the federal government is giving doctors and hospitals tens-to-hundreds of thousands of dollars to install electronic health records that also lack ironclad security and also prevent patients from controlling their records. Hooking systems of ‘weak links’ to thousands of new systems that are also ‘weak links’ is a prescription for disaster.

Like the author, Patient Privacy Rights has been pointing out the abysmal state of health data security for years. What the author does not know is Congress LISTENED TO PATIENTS. Senator Snowe deserves credit for these consumer protections because she refused to allow the meaningful breach protections she crafted to be weakened. Powerful support by the bipartisan Coalition for Patient Privacy (see our letter to Congress) helped convince Congress to put Senator Snowe’s tough breach reporting and tough penalties into the stimulus bill. Perhaps now those who hold our sensitive health data will start to take security seriously.

What is really new in this story are FairWarning’s report about the very high monthly frequency of breaches in doctor’s offices and major hospitals in the US and across the world. The statistics from FairWarning show clearly that the number of breaches officially reported to HHS are just the tip of the iceberg. See quotes:

  • 200-bed hospital with a few small clinics, Rurally based: 24 confirmed incidents [breaches] per month.
  • U.S. based physician practice with 20 clinics metro and rurally dispersed: 29 confirmed incidents [breaches] per month.
  • UK based teaching hospital in major metropolitan area as well as rurally based facilities: 130 confirmed incidents [breaches] per month
  • Top 50 U.S. Health System with multiple affiliated hospitals and clinics – Based in a major metropolitan area: 125 confirmed incidents [breaches] per month.

You can see reported breaches to HHS affecting 500 or more here:

Consumer Advocate: Patient Consent Vital

Deborah Peel, M.D., founder of Patient Privacy Rights, on protecting the privacy of healthcare information.
Listen to the Interview Here.

Patients have inadequate control over who can access their healthcare information, but existing technologies can solve the problem, says consumer advocate Deborah Peel, M.D.

Her organization, Patient Privacy Rights, recently issued a white paper outlining an approach to giving patients opportunities to offer informed consent for accessing their records. In an interview, Peel outlined the key points in the report…

View a PDF version of the white paper: The Case for Informed Consent
Listen to the interview: Patient Consent Vital

The Case for Informed Consent

Austin, TX — Patient Privacy Rights (PPR), the nation’s leading health privacy watchdog released a white paper entitled, “The Case for Consent: Why it is Critical to Honor What Patients Expect: for Health Care, Health IT and Privacy.” The paper is designed to be a primer on health privacy and argues that the primary stakeholder in health care, the patient, must retain control over their personal health information. The white paper is available online at

The white paper tackles the arguments made that patient control is too technically difficult, is too expensive, or is too complex, among others. In fact, robust privacy-enhancing technologies are in use now that ensure both progress and privacy. Technology can enable control over personal health information today and likely simplify our systems and lower costs.

“Patients know what they want,” says Patient Privacy Rights’ founder, Deborah Peel, MD. “It is a mistake to design health IT in a paternalistic manner — assuming a corporation, vendor, provider or government agency knows what is best for each individual patient.”

View the white paper: The Case for Informed Consent

Privacy Risk Calculator

Is your sensitive health information at risk of being exposed and sold?

Take the following quick quiz to see if your health privacy is at risk.

Please Note:
Keep track of the total points earned by each answer
to calculate your health information’s privacy risk.


HHS Withdraws Controversial Breach Notification Rule under HITECH

A recent HHS decision to withdraw the HIPPA final “breach notification” rule drew praise from patient privacy advocates, who cited the need for stronger privacy protections…

The Patient Privacy Rights Foundation, a privacy watchdog organization, called the move “a huge step in the right direction,”and reiterated its objections to the “harm standard.”

WSJ Exposes Web Tracking Truths

This story should prompt a flood of investigative reporting about the secret, highly lucrative data theft and mining industries. And health information is THE most valuable personal information of all.

“Consumer tracking is the foundation of an online advertising economy that racked up $23 billion in ad spending last year.”

The story shows that the data theft and data mining industries are selling real-time access to specific people—a FAR more intrusive practice than buying a location on a webpage:

“These profiles of individuals, constantly refreshed, are bought and sold on stock-market-like exchanges that have sprung up in the past 18 months.”

“Advertisers once primarily bought ads on specific Web pages—a car ad on a car site. Now, advertisers are paying a premium to follow people around the Internet, wherever they go, with highly specific marketing messages.”

And, of course, sensitive health information is being stolen too:

“On Encyclopaedia Britannica Inc.’s dictionary website, one tracking file from Healthline Networks Inc., an ad network, scans the page a user is viewing and targets ads related to what it sees there. So, for example, a person looking up depression-related words could see Healthline ads for depression treatments on that page—and on subsequent pages viewed on other sites.”

“Healthline says it doesn’t let advertisers track users around the Internet who have viewed sensitive topics such as HIV/AIDS, sexually transmitted diseases, eating disorders and impotence. The company does let advertisers track people with bipolar disorder, overactive bladder and anxiety, according to its marketing materials.”

Ubiquitous surveillance and data theft is used to track and discriminate against every American in real time. Ads are NOT innocuous and helpful:

“We’re driving people down different lanes of the highway,” Mr. Cheyney says.

“Some financial companies are starting to use this formula to show entirely different pages to visitors, based on assumptions about their income and education levels.”

“Life-insurance site, a unit of Byron Udell & Associates Inc., last month tested a system showing visitors it determined to be suburban, college-educated baby-boomers a default policy of $2 million to $3 million, says Accuquote executive Sean Cheyney. A rural, working-class senior citizen might see a default policy for $250,000, he says.”

Only exposure and public outrage over the deeply invasive secret data theft and data mining industries will shut them down. And it’s important to know that the government is one of the biggest customers of these stolen data profiles.

See the Wall Street Journal Article: The Web’s New Gold Mine: Your Secrets