Re: SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft

See article for reference from NextGov, “SAIC Hit With $4.9B Lawsuit Over TRICARE Data Theft,” by Bob Brewin.

We can expect to see many more lawsuits over breaches because most US health systems have abysmal data security and by design allow thousands of employees to access the sensitive health information of millions of patients. This immense scale of damage was simply impossible with paper systems.

Ironclad security is very difficult technically (think WikiLeaks) because health systems were architected to enable ‘open access’ by hundreds or thousands of employees to millions of sensitive health records.

Today, the only ‘barrier’ to health data access in the US are ‘pop-up’ screens that ask, “Do you have a right to access this patient’s information?’ This is hardly effective. Yes, of course, after-the-fact audit trails of access can be used to identify those who should not have seen a record. It is a very weak kind of data protection; in fact, today patients identify the majority of data breaches, not health IT systems.

When will the US get serious about building privacy-enhancing architectures where ONLY clinical staff or others who are directly involved in a patient’s care can access the patient’s data with informed consent. Systems that prevent access by MOST employees could prevent the vast majorities of data breaches and data thefts.

Using and building systems designed for privacy would be a FAR better use of the stimulus billions than how they are currently being spent: to buy and promote the use of HIT systems that cannot possibly protect health data from misuse and theft, and in fact is designed to spread health information to many unseen and unknown secondary corporate and government users.

Patient Data Posted Online in Major Breach of Privacy

This New York Times article by Kevin Sack outlines the key findings by experts at the Health Privacy Sumit: There are SERIOUS flaws in electronic health records when it comes to privacy, and these need to be addressed NOW.

“A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.”

Hospitals Wary of Hackers Seek Insurance from AIG

Bloomberg News aired a segment on the rising threat of electronic health information systems to patient privacy and tapped Jim Pyles, an expert from the first health privacy summit to speak.  He pointed out that the lack of adequate health data security, the ability to breach thousands or millions of records simultaneously, and the value of health data on black market as key causes of the growing number of reported health data breaches.

View the video here.

Synopsis: Doctors and hospitals adopting electronic patient records under a U.S. government program are exploring insurance policies to help cover the costs of medical-data breaches. Data breaches cost U.S. hospitals $12 billion over the past two years, according to a study by the Poneman Institute. Bloomberg’s Megan Hughes reports on “InBusiness with Margaret Brennan.”

Re:Epsilon breach used four-month-old attack

In response to the article in ITnews.com by Brett Winterford: Epsilon breach used four-month-old attack

Epsilon, the world’s largest email service provider, did not respond to 4 month-old warnings that their systems were vulnerable to hackers trying to access email deployment systems. Victims reported not only email addresses, but phone numbers were stolen. Some got hundreds of phone calls.

Everyone should expect very sophisticated “spear-phishing” attacks via email, where someone gets you to open an email by pretending to know you by using details from social media, etc.

2500 global companies like Citibank trusted Epsilon with sensitive details about millions of us, their customers.

Hospitals, insurers, pharmacies, and many unknown third parties/corporations/government agencies hold also data bases with millions of Americans’ sensitive financial and health records. Reports of health data breaches are soaring because securing data is very difficult and expensive.

Shouldn’t we demand that Congress and the federal government require and validate that all businesses holding health data have ironclad data security protections in place, BEFORE REQUIRING ever more data exchange, when we already know that healthcare systems are extremely vulnerable?

Shouldn’t health IT systems have ironclad security and require patient consent first? Shouldn’t the horse go before the cart?

Check out the latest proposed Federal Strategic Health IT Plan:
• it requires vast amounts of data-sharing NOW for a myriad of “meaningful uses” and other reporting without patient consent
• we still can’t see who accessed or used our health data because we can’t get audit trails of all disclosures yet, even though federal law (HITECH, 2009) requires that data holders give us a 3-year accounting of all disclosures if requested. This new consumer right and protection has not been implemented in regulations by HHS.
• See: ONC Announces open public comment period on the Federal Health IT Strategic Plan: 2011-2015

PPR will circulate comments for the Coalition for Patient Privacy to sign.

Poll shows: We trust our doctors, not their systems

This computer world article by Lucas Mearian discusses a new survey from CDW, showing patients trust their doctors but not electronic health records. And Many respondents don’t even trust themselves with their own records!

See the full article: U.S. patients trust docs, but not e-health records, survey shows

Sadly, patients should not trust their doctors unless they know their doctors’ electronic health records systems do not sell their personal health information.

The public has no idea that many electronic health systems sell their data. Even doctors may not realize the EHR systems in their offices or in hospitals sell patient data. Many claim to sell “de-identified” data, but it is very easy to re-identify health data.

This practice of selling health data was banned in the stimulus bill but has not been implemented in federal regulations, so it continues unabated.

Worse, the proposed regulations are directed ONLY at the use of health data for marketing, NOT at the health data mining industry that sells real-time, sensitive, detailed patient data profiles to corporations, government, and anyone who can pay for it.

The point of the ban on sale of health data without consent was to end the daily sale of every American’s prescription records from all 54,000 pharmacies, to end the sale of health data from electronic health systems and data exchanges, and to end the sale of health data by all the other organizations that are part of the healthcare system food chain like: insurers, state governments, labs, data warehouses, data management companies, the data analytics industry, business associates, secondary and tertiary data users, etc., etc.

See a brief TV investigative story about one EHR vendor that gives the software to doctors for “free” because its business is selling the patient data: http://www.ktvu.com/news/24278317/detail.html

Experts Forecast Top Seven Trends in Healthcare Information Privacy for 2011

A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach, and governance were asked to weigh in with their forecasts for 2011. These experts suggest that as health information exchanges take form, millions of patient records—soon to be available as digital files—will lead to potential unauthorized access, violation of new data breach laws and, more importantly, exposure to the threat of medical and financial identity theft.

These predictions are supported by the recent Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security, published November 2010, which found that data breaches of patient information cost the healthcare industry $6 billion annually; protecting patient data is a low priority for hospitals; and the healthcare industry lags behind the recently enacted HITECH laws…

Industry-Wide Experts Share Their Opinions and Insight…

Dr. Deborah Peel, M.D., practicing physician and founder of Patient Privacy Rights; the nation’s health privacy watchdog

“2011 will be the year that Americans recognize they can’t control personal health information in health IT systems and data exchanges. Will 2011 be the year that data security and privacy are the top of the nation’s agenda? I hope so. The right to privacy is the essential right of individuals in vibrant Democracies. If we don’t do it right in healthcare, we won’t have any privacy in the Digital Age.”…

Re: Release of Ponemon “Benchmark Study on Patient Privacy and Data Security” on Nov 9th

Today’s new Ponemon study catalogs the health care industry’s massive indifference to keeping patients’ health data secure.

View the Ponemon Study Press Release

This is not a new problem. The lack of ironclad data protection and security has been a set up for catastrophe from the beginning.  If banks handled the security of financial records as badly as hospitals handle health records, they would have been shut down.

Why is abysmal security for health data tolerated, when it is far more sensitive than financial records and also contains financial and demographic information?

The study details the lack of comprehensive technical protections, the lack of adequate staff, the lack of adequate funding , and the lack of encryption. It even found that 53% of health care organizations are “not confident” they know where patient data is actually located.

It’s painful to read such graphic detail about the breathtaking, systemic disregard for patient data protections. Page after page of awful statistics should make the public and government pause before spending $39 billion dollars of stimulus funds on such fatally flawed systems.

Relentless industry promotion of health IT seems to override the lack of adequate data protection and common sense.

Here are a few statistics from the study:

  • The total economic burden on US hospitals of data breaches is $12 Billion dollars/year.
  • 69% of health care organizations can’t prevent or detect data breaches
  • 71% of health care organizations have inadequate resources to deal with data breaches or improve their systems and technology
  • 70% of hospitals said that data protection is not a priority
  • Strikingly, 41% said that data breaches were discovered by patients, which appears to be low because another 19% of breaches were discovered because of legal complaints and 8% by law enforcement. Both legal actions and law enforcement complaints were also probably because patients discovered breaches and sought help, making the total of patient-discovered breaches closer to 68% than 41%.

If 41-68% of patients reported breaches, they must have suffered direct harms, such as data exposure leading to humiliation/embarrassment, identity theft, or medical identity theft.

Shouldn’t the government spend the stimulus billions on systems that DO ensure data security and EMPOWER patients to selectively disclose sensitive health information only to those they trust?

Privacy advocates fear massive fed health database

Please see the article “Privacy advocates fear massive fed health database” in Computer World, by Jaikumar Vijayan.

Many state and federal agencies either release or will soon release massive free or low cost “public use data files” without testing to make sure that our sensitive personal health information cannot be re-identified or obtaining our consent to use our health information.

Describing data bases as “anonymized” or “de-identified” lulls the public into thinking that their health records are safe and cannot be re-identified. But that isn’t true. Every method to prevent data from being re-identified should first be tested and proven.

Patient Privacy Rights recommends that any health data set should be subject to “adversarial challenge criteria” to assess the actual threats/risks of re-identification of the data before release. See “Notes About Anonymizing Data For Public Release” by Andrew Blumberg PhD at: http://patientprivacyrights.org/wp-content/uploads/2010/10/ABlumberg-anonymization-memo.pdf

After the challenge criteria are used to test the data, patients should be informed of the risk of re-identification and asked for consent to include their data.

Even the NIH had to close down a database of genetic information that was supposedly de-identified after the 141st researchers who downloaded the data base reported that they could re-identify actual patients.

It’s extremely hard to create health data sets that cannot be re-identified. Given that fact, patient consent should be required for the use of health data and patients should be informed of the risks of re-identification BEFORE their data is included in public use data sets.

Without basic protections, i.e., requiring informed consent and adversarial challenges, our health data will be used to create valuable, detailed profiles of each of us—and our own health records will be sold and used to discriminate against us in employment, credit, and other opportunities in life–not for research to improve our health and improve treatment.

Insecurities Plague Electronic Health Care

Information security and privacy in the healthcare sector is an issue of growing importance but much remains to be done to address the various issues raised by healthcare consumers regarding privacy and security and the providers’ perspective of regulatory compliance.

Writing in the International Journal of Internet and Enterprise Management, Ajit Appari and Eric Johnson of Dartmouth College, Hanover, New Hampshire, USA, explain that the adoption of digital patient records, increased regulation, provider consolidation and the increasing need for information exchange between patients, providers and payers, all point towards the need for better information security. Without it patient privacy could be seriously compromised at great cost to individuals and to the standing of the healthcare industry.

Living Online: Privacy and Security Issues in a Digital Age

Our lives are increasingly lived online. A large number of Americans routinely exchange information in cyberspace for personal, business, and other purposes. What privacy and security issues present themselves in this relatively new and increasingly ubiquitous space? What particular privacy concerns might apply when specific entities, such as the government, hold or process our information? What particular considerations might apply when the information being transmitted is particularly sensitive, such as health care information or financial information? How do privacy, security, and information ownership concerns function when information is being exchanged on social networking sites?

The November 3, 2009 event featured a lunchtime keynote address by Christopher N. Olsen, the Assistant Director in the Division of Privacy and Identity Protection at the Federal Trade Commission.

A panel discussion was held from 1 – 2:30 pm and featured:

  • Moderator, Jeffrey Rosen, Professor of Law at George Washington University and Legal Affairs Editor for The New Republic
  • Deborah C. Peel, MD, Founder and Chair, Patient Privacy Rights; Chair, Coalition for Patient Privacy
  • Lillie Coney, Associate Director, Electronic Privacy Information Center; Coordinator, Privacy Coalition
  • Alan Davidson, Director of Public Policy, Google

Here is the Video of the Panel:

Tuesday, November 3, 2009
11:30 am – 2:30 pm
Center for American Progress
1333 H. Street NW, 10th Floor
Washington, DC 20005