Photo Credit: Pietro & Silvia

I have always been an advocate of protecting one’s personal information and privacy and was personally pleased when the HIPAA standards came into being, as this raised the tide for all medical care providers to a common level of information protection.  Indeed doctors, dentists, insurers, health organizations, hospitals and clinics all moved to have their data handling and storage reviewed and certified as being HIPAA compliant. Sadly, being compliant is not synonymous with being secure.  According to the Privacy Rights Clearinghouse there have been more than 87 separate data breaches made public from January 1 – June 10, 2011, which in aggregate affected more than 5,000,000 individuals’ records.  Let’s look at the variety of ways patient data were compromised and how every one of these losses was avoidable.

Hardcopy Records:

  • Control: In one instance approximately 1650+ paper records were designated for shredding.  The records were placed in an unsecured open area and went missing.
  • Abandoned: 22 boxes of patient records were found abandoned containing medical data from 1990-1999.  The hospital associated with the data had been closed since 2008.
  • Theft: A medical service provider noticed that during a break-in they had lost their patient medical records. (+1)
  • Recycling: Patient records were found in the recycle bin associated with a private practice.  A new employee had placed medical records in the recycle vice shredding.  (+1)
  • Mail: A box containing patient records was thought to have been mailed but did not arrive at the designated location
  • Theft: A doctor at a private practice took records home to shred.  He had them in his garage and they went missing.  The thief was caught attempting to sell the information.
  • Theft: In one instance, a former employee took approximately 500 patient records, while in a separate instance boxes of patient’s records were found in an employee’s home, storage units and rental houses.  In yet a third incident, hospital records were found in the vacated residence of a former employee of an Ambulance Service.

Recommendation: In the above examples implementation of record control processes (sign-in/sign-out), putting medical records in a physically secured room and implementing a two-person rule for movement of records outside of the confines of the office or for transport to storage or destruction would have addressed each of these issues.

Digital Records:

  • Theft: A medical office was broken into, 19 computers and a safe were all stolen. The safe contained patient checks and receipts; the computers contained names, addresses, dates of birth, medical records, health insurance data, sensitive medical data, prognosis etc. In two separate incidents, computers were stolen from two different healthcare providers on the same day – both thefts netted thousands of patient records. In yet another instance, a burglary at a hospital resulted in the loss of a laptop containing patient information. A hospital employee’s home was broken into and a laptop was stolen which contained the information of patients spanning nine-years.
  • Theft: In an unusual case, a computer containing patient data was stolen from a courtroom where an expert witness was using it.
  • Theft: A server was stolen from a medical practice and patient records spanning 30 years were stolen, affecting more than 20,000 individuals. In a different incident, at a prominent hospital, a desktop computer was taken, and it contained over 500,000 patient records.  A prominent health provider had multiple servers stolen from their data center resulting in the compromise of over 1.9 million patient records.  A laptop went missing from a secured IT systems room, affecting 84,000 patients.
  • Theft: A laptop was left unattended in a hospital employee’s car and was stolen.  The laptop contained patient data (+11).  An individual care provider also lost, through theft, a laptop containing patient health information.  A doctor’s office was broken into and the laptop with patient information was stolen.
  • Back-up Data Theft: A practice had stored their patient backup data in a third-party environment.  The back-up drive was stolen and had the practice’s records, including patient records. (+6)  In an incident of much larger scale, affecting more than 93,000 patients, a back-up drive containing patient data went missing when an employee took it home. In another incident involving a clinic, backup tapes were lifted from an employee’s car.
  • Third party: Backup tapes were stolen from an unsecured vehicle during transport by a third-party – the totality of the information spanned from 1991-2010 – 1.7 million individuals.  (+2)
  • Third party: The databases of a medical transcription company were breached revealing the medical data on more than a thousand patients from a contracting hospital.
  • Data breach: One health care provider noted their system had been breached and unauthorized access to their 15,000 client’s records had occurred.  In a separate incident patient information was exposed by a medical center following an IT incident.  One healthcare provider shuttered its doors following a breach of their IT system, which resulted in the medical information of their 12,000+ patients being posted on the Internet.  A former employee accessed the IT system and inappropriately accessed patient records.
  • Accidental: IT accidentally posted patient data to the internet resulting in exposure of patient data – some of the patients subsequently filed a class-action lawsuit – four counts against the hospital: breach of the duty of confidentiality, invasion of privacy by intrusion upon the seclusion of the plaintiffs, invasion of privacy by unreasonable publicity into the plaintiff’s private life, and negligence.  In an unresolved data breach, the records of 156,000 patients were exposed.  In a separate, unrelated incident, a web-developer inadvertently created an online tool for an insurance carrier, which placed individual’s personal identifying information online in an accessible format.
  • Medical Equipment: An ultrasound machine which had patient data in its memory was stolen, exposing medical information about approximately 6,000 persons. In an unrelated instance, a medical device (not identified) containing data on approximately 2,000 patients went missing.  And in another example a device containing data on 16,000+ patients went missing.

Recommendation: As can be seen, the bulk of data loss is electronic data loss.

  • With respect to backup tapes, USB sticks, portable hard drives, etc., I recommend the implementation of encryption on all data being placed on an external device.  In this manner, should a device go missing (as was the case numerous times over the past six months) the information is not at risk if encrypted.
  • As with the backup, patient data should be stored in an encrypted state.  If the laptop goes missing, the patient data is secured.  If the office or data center is physically breached and hardware lifted, the data is secured, the equipment is lost – the patient’s records are secured.
  • When you hire a professional to handle your data you should review the processes and technologies being used by the vendor to ensure your data is being afforded the same level of protection as you would expect if the vendor did not exist.  That means if you are moving records, equipment or other material with patient data, a two-person rule, sign-in/sign-out and full transparency as to where the data is at any given time.  If you are transmitting data to an off-site vendor, which contains medical data on your patients, ensure that your emails are encrypted and the work/finished copy at the transcription service is appropriately and sufficiently secure.
  • More and more medical equipment being used has onboard memory.  Processes around the purging of the data between patient use or disposal/maintenance would have reduced the breach which occurred due to theft of these devices.

Identity Theft:

  • Employee: An employee with patient access would access patient records and had data pertaining to over 100 separate individuals at the employee’s home.  The employee was arrested, convicted and sentenced to eight years in prison for Identity Theft.
  • Caregiver: A medical practice’s principal physician’s financial identity was stolen by a doctor who used it to open up lines of credit. The doctor was arrested.
  • Employees: A receptionist at a clinic stole personal identifying information of patients for the purposes of engaging in identity theft.  The receptionist and another employee absconded with more than $125,000.  Both individuals had prior fraud convictions.
  • Pharmaceutical: A pharmacy employee using the names and ID number of customers created fraudulent prescription reimbursement checks.
  • Unknown: A number of patients were notified that their information had been stolen and apparently used for fraudulent tax returns.  Those patients which visited a specific department between May 2008-June 2009 were affected.
  • Law Enforcement: A local District Attorney’s office notified a hospital their Accounts Payable system may have been breached.  Vendors and Employees for the period 1991-2011 had their information accessed, the information was used to open utility accounts.
  • Curiosity: Employees at a university medical center inappropriately accessed medical records of individuals who had appeared in the local news. Multiple employees were discharged or allowed to resign.  Similarly, at a separate University Medical Center, three staff employees were discharged for surfing patient data without caused.  The records were associated with an incident, which received national news attention.

Recommendation: Then we have those who break trust, with their employer or with their patients or both.  My recommendation is to have in place checks and balances with the ability to determine when unauthorized or anomalous access to patient records occur.  Such can serve as a clue to look a bit deeper.

When the first five months provides a rate of one million records a month in lost patient data, by year’s end five percent of the US population will have had their medical records compromised.  We have no choice we must take action now and keep the second half of 2011 from replicating the first.  Your patients are counting on you to protect their crown jewels, their data.

The preceding piece first appeared on the Mayo Clinic’s external social media blog on 19 July, Patient Data: The Crown Jewels and had the following editor’s note attached:
Editor’s Note: Christopher Burgess is a member of the External Advisory Board for the Mayo Clinic Center for Social Media. One question that is often raised about use of social media in health care is whether it is consistent with patient privacy. In this article, Christopher reviews reported patient data breaches in the first five months of 2011 and finds that social media are not unique in the potential for data loss; in fact, the reported data losses were not because of social media. Note that numbers in parentheses (+1, +2, etc.) indicate additional breaches of a similar nature. He also suggests safeguards against all kinds of patient privacy violations.