09 September 2011

Data Breach

'Patient Data Posted Online in Major Breach of Privacy' by Kevin Sack in yesterday's New York Times reveals that personal information regarding 20,000 emergency room patients at Stanford Hospital went onto the web and stayed online for nearly a year.

The information included patient names and diagnostic codes. It featured in a spreadsheet from a Stanford billing contractor (Multi-Specialty Collection Services) that appeared on the Student of Fortune web site, used by students to solicit paid assistance with their schoolwork. The spreadsheet reportedly appeared on the site in September 2010 as an attachment to a question about how to convert data into a bar graph. The sheet included names, account numbers, admission and discharge dates, diagnostic codes (including those for psychiatric treatment) and billing charges for patients using the hospital over six-month period in 2009.

The NYT reports that -
The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took "aggressive steps", and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.

"It is clearly disturbing when this information gets public,” he said. “It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that."
The Times goes on to note that -
Records compiled by the Department of Health and Human Services reveal that personal medical data for more than 11 million people have been improperly exposed during the past two years alone.

Since passage of the federal stimulus package, which includes provisions requiring prompt public reporting of breaches, the government has received notice of 306 cases from September 2009 to June 2011 that affected at least 500 people apiece. A recent report to Congress tallied 30,000 smaller breaches from September 2009 to December 2010, affecting more than 72,000 people.

The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.

One occurred at the Lucile Packard Children’s Hospital at Stanford in January 2010, when a desktop computer holding the medical records of 532 patients was stolen from the heart center by an employee. Hospital officials said at the time that no patient information was compromised.

But the California Department of Public Health fined the hospital $250,000, the maximum allowed, for failing to report the breach within five days of discovery, as is required under state law. The hospital appealed the fine, and a settlement has been reached but not yet disclosed ...

Massachusetts General Hospital in Boston, which trains Harvard medical students, agreed this year to pay a $1 million federal fine after an employee left paper medical records on a subway while commuting to work. The pages included the names of 192 patients, and diagnoses for about a third of them, including diagnoses for H.I.V./AIDS. They were never recovered.

The Department of Health and Human Services viewed the breach as a potential violation of the Health Insurance Portability and Accountability Act, the 1996 law that requires protection of medical records....

Bryan Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health providers, said nearly 20 percent of breaches involved outside contractors, accounting for more than half of all the records exposed.