Re: Utah’s Medical Privacy Breach – Nearing 1 Million!

The Utah Dept of Health didn’t protect close to one million patients’ sensitive health data. Utah handles health information the way 80% of the US healthcare sector does: very poorly. Weak passwords and unencrypted health information are typical. Just last November, an SAIC/Tricare data breach of 4.9 million unencrypted records was reported.

The US healthcare industry has ignored federal law requiring encryption since 2005. Encryption is well-known to be the standard for protecting health data. But why do it if there is no enforcement and the cost of a fine or settlement is so low?

Instead of expanding electronic health records systems and exchanging millions more sensitive health records, the federal government should enforce the law and require the massive security flaws in existing health data systems be fixed. And whenever there are breaches, victims should have the technology tools to verify whether future claims are genuine to prevent medical ID theft and someone else’s record from receive credit monitoring for at least 3 years.

Learn more about the lack of health data privacy and security. Register to attend or watch the 2nd International Summit on the Future of Health Privacy, “Is there an American Health Privacy Crisis” on live streaming video at: http://www.healthprivacysummit.org

Health privacy issues can be resolved without obstructing care

See full article in FierceHealthIT: Health privacy issues can be resolved without obstructing care

Ken Terry writes about the big issues with patient privacy today and possible solutions.

“At times, it seems like concerns about the security and privacy of healthcare data have catapulted into overdrive: For instance, it recently was predicted that healthcare spending on security would hit $70 billion a year by 2015–enough to cover the majority of the uninsured. Sure, there are plenty of security breaches–some of them serious enough to attract public attention. But as a few recent cases show, universal encryption of data (some forms of which may soon be required under the latest HIPAA rules) could eliminate the biggest source of security breaches. Also, with the advent of virtual desktop infrastructure, there’s no reason to store any personal health information on end-user devices.
Another challenge in the security arena is giving consumers the ability to control who sees their records. While most physicians now have their patients sign HIPAA forms so that they can share data with other providers, the advent of electronic health information exchange (HIE) has greatly increased access to a wide range of individually identifiable data from a variety of sources. And patients may not want everyone who treats them to know, for example, that they have seen a psychiatrist.”

Re: BCBS Breach in Tennessee

The Office of Civil Rights in the Dept of Health and Human Services (OCR) slapped the wrist of BCBS of Tennessee.

One million people’s protected health information was breached because Blue Cross Blue Shield (BCBS) of Tennessee violated data security laws. The settlement cost BCBS a little more than $1.00 per person—hardly a deterrent to other corporations or adequate punishment. However, that amount happens to be the same as the highest possible fine permitted by law (HITECH).

Still it appears that criminal charges could have been filed for “willful disregard” rather than OCR accepting a settlement. OCR’s finding that legally-required “adequate administrative and physical safeguards” were lacking is evidence of “willful neglect”.

Worst of all, the one million victims received NO protection against future ID theft or medical ID theft. OCR could have also required BCBS to mitigate future patient harms, but didn’t. New technologies can protect against medical ID theft by enabling patients to review all new claims, so they can detect and prevent fraudulent claims and erroneous data from being entered into their records.

Why didn’t OCR propose that BCBS adopt remedies to protect the patients whose records were breached from further misuse and theft?  Shouldn’t OCR help protect victims?

PPR in the Wall Street Journal

The Journal Report of The Wall Street Journal featured Patient Privacy Rights’ founder in a debate about Unique Patient Identifiers (UPIs). Deborah C. Peel, MD, founder & chair of Patient Privacy Rights, opposes UPIs, pointing out there are better electronic records systems that allow patients to control data exchanges for treatment and other approved uses.

You can read both sides of the debate at this link: “Should Every Patient Have a Unique ID Number for All Medical Records?”

While voting remains open, the scores have remained fairly static over the past month showing a clear victory. Deborah Peel, MD has won the debate for Patient Privacy Rights, exposing the dangers of UPIs in electronic health record systems. If you have not already, you can still vote “No” to UPIs, and help protect patients, privacy, and progress toward patient-controlled electronic health records. If you are in the main article, voting takes place on the left side of the screen below the picture of Michael Collins. You can also use this direct link to vote after reviewing the full debate.

To dispel the myths of UPIs:

  • Trying to separate UPIs from financial records would be like trying to separate SSNs from everything they have been linked to, including medical records!
  • UPIs will give government, industry, data miners, and others greater ability to collect all health information on individuals. Imagine giving everyone a unique financial identifier that they would use for all credit cards, banks, retailers, and other financial institutions. Would you feel your money was secure?
  • A surprising amount of patients already do not trust a paper-based system, and fear for their privacy even more with expanding Health IT. Having a UPI takes away the idea of patient control and consent, creating one very easy and obvious way for anyone with the means necessary to look up a patient’s full health record. Patients will only accept a system they can control.

We do our work to improve health care by protecting patient privacy. We encourage you to protect your own privacy rights by voting now.

Re: Sizing Up the Family Gene Pool

In response to the New York Times article: Sizing Up the Family Gene Pool

This story is about the fact that genetic testing companies sell people’s test results, compromising families’ and descendants’ future jobs and opportunities. “The NYTimes Ethicist” confirmed a questioner’s fears:

“As for the privacy issue, your concern is well founded. Many of these companies do use customers’ data for medical research or commercial applications, or they sell it to third parties whose interests you might never know. Legally they can’t do that without your consent, but the fine print on those consent forms goes by so quickly that it can be hard to follow.”

Americans’ lack of control over sensitive personal health information in electronic systems is a true national disaster. Not everyone knows this yet, but President Obama does.

On Feb 22, the he introduced historic new privacy principles to guide the use of personal data in the global digital economy. He recognized the lack of privacy in current networked technologies and systems has severe economic consequences. See story on the White House Initiative: http://patientprivacyrights.org/2012/02/wh-initiative-consumer-privacy-bill-of-rights/

President Obama’s new principles address the causes of the privacy violation in the story:

  • Current federal law does not protect the right to health information privacy or the right of consent to use health data
  • neither HIPAA nor Genetic Information Non-Discrimination Act (GINA) prevent the systemic corporate business practice of selling Americans’ highly sensitive personal health information (like genetic test results)

He laid out an historic, tough new Consumer Privacy Bill of Rights to stop the data mining and data theft industries. The first principle is that of individual control: “Consumers have a right to exercise control over what personal data companies collect from them and how they use it.”

Key quotes from the Administration’s new “Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy”:

  • “Strong consumer data privacy protections are essential to maintaining consumers’ trust in the tech­nologies and companies that drive the digital economy.”
  • The President concluded, “It [privacy] has been at the heart of our democracy from its inception, and we need it now more than ever.”

The only way we can trust the Internet and have a vibrant global digital economy is if individuals control personal information online and in electronic systems. The right of informed consent before personal information is collected or used must be restored.

When will the health IT industry, Congress, and lawmakers across the US act to restore the right to privacy and control over personal information?

Re: David Cameron ready to put chunks of NHS up for sale, says Labour

The British Prime Minister proposes opening up and selling the health information of British citizens, ie copying the US model of data sales because he sees it’s worth tens-hundreds of billions in annual revenue to those in the US selling data. For at least the past decade, US industry has been violating Americans’ expectations and strong rights to health privacy by selling and using sensitive patient health information without consent, and without public awareness, much less, debate.

See more here: David Cameron ready to put chunks of NHS up for sale, says Labour

Key quotes:

  • Prime Minister “[Cameron] sees no limit on the involvement of the private sector and says he wants it to be a ‘fantastic business’. In his desperation to develop a credible industrial strategy, he seems willing to put large chunks of our NHS up for sale.”
  • Roger Gross, from the pressure group Patient Concern, said that allowing private firms access to NHS data would mean “the death of patient confidentiality”.
  • “We understand GP surgeries will have the right to refuse to release their patients’ records, but whether patients will ever be told what is happening, let alone have the choice to protect their privacy, is still unclear,” Gross said.

Leaders in Congress Call Out TRICARE & SAIC

We congratulate the leaders in Congress, Reps Markey, Barton, DeGette, Stearns, and Andrews for calling TRICARE and SAIC on the carpet for not securing military families’ sensitive health data. See the letter here.

We hope this letter leads to Congressional oversight hearings into the industry-wide culture of disregard for the privacy of military personnel’s and all Americans’ sensitive electronic health information. The worst serial corporate abusers should be penalized and prevented from getting federal contracts. We need Congress to get to the roots of the industry-wide disregard for health privacy FAST, before millions more people are harmed, not just by medical identity theft, but by the use of health information to discriminate against them in employment, credit, and other key opportunities in life. Once health records are exposed, they can never be made private again.

It is well-known in the healthcare industry and by privacy advocates that about 80% of healthcare providers and the health IT corporations that manage health information have ignored federal laws requiring encryption and data security protection for years. Obviously, head-in-the-sand approaches to data security simply don’t make sense. Clearly it’s cheaper and easier for corporations to ignore the law and common sense than it is to protect our most sensitive personal information, from diagnoses to DNA.

The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation.

Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed to work in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.

We also strongly support the proposal to make sure that victims of health data breaches receive effective state-of-the-art remediation. Victims should be able to use new technology that enables them to monitor all health insurance claims before they are submitted, so they can prevent the fraud and prevent other people’s health data from being added to their health records.

House to Defense Top Doc: What’s Up With TRICARE Theft?

Four members of the House Energy and Commerce Committee and one member of the House Armed Services Committee want some answers from Dr. Jonathan Woodson, the Pentagon’s top medical official, about how the Defense Department handled the September theft of computer tapes containing the records of 4.9 million TRICARE beneficiaries from the car of an SAIC employee in San Antonio, Texas. Woodson is the assistant secretary of Defense for health affairs and director of the TRICARE Management Activity, which was responsible for the data.

Woodson has been mum on this debacle since it unfolded, and in fact gave a speech in San Antonio the week after the theft was reported and, as far as I can determine, never addressed the issue…

…Last month, TRICARE directed SAIC to offer credit monitoring services to patients whose information was stored on the stolen tapes. Dr. Deborah Peel, founder of Patient Privacy Rights, an advocacy group based in Austin, Texas, says this does nothing to insure the safety of health care information on those tapes.

Peel, who sent me the Congressional letter to Woodson, said those patients should also be provided with new technology that allows them to monitor all health insurance claims before they are submitted, so they can prevent fraud as well as other people’s health data from being added to their health records.

See Patient Privacy Rights’ Press Release

Stanford medical records posted on public website, now removed

Below is part of the story published by MercuryNews.com, quoting Dr. Deborah Peel, founder of Patient Privacy Rights.

“The electronic medical records of 20,000 Stanford Hospital emergency room patients, including names and diagnostic codes, were posted on a commercial website, the hospital disclosed Thursday.

Personal information about patients seen between March 1 and Aug. 31, 2009, has been removed from the website and an investigation is under way, according to Stanford Hospital spokesman Gary Migdol.

But the startling breach — caused by a vendor’s subcontractor, who has assumed responsibility — raises questions about the privacy of medical information as it passes through many hands.

In one instance, it revealed a psychiatric diagnosis of a Santa Clara patient.

The released information also included medical record numbers, hospital account numbers, billing charges and emergency room admission and discharge dates. Credit card and Social Security numbers were not included…

…Americans expect doctors and hospitals to use their records only with consent, said Dr. Deborah C. Peel, founder of the watchdog group Patient Privacy Rights, “not to give them to legions of contractors and strangers. Existing regulations are just not strong enough to protect Americans’ sensitive health information. Today’s electronic health systems are not safe or trustworthy.”"

Patient Data Posted Online in Major Breach of Privacy

This New York Times article by Kevin Sack outlines the key findings by experts at the Health Privacy Sumit: There are SERIOUS flaws in electronic health records when it comes to privacy, and these need to be addressed NOW.

“A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford breach spotlighted the persistent vulnerability posed by legions of outside contractors that gain access to private data.”