Monday, January 12, 2009

Hospital Addresses Online Privacy "Mistake"


Events like this should be considered "Never Events", much like medical errors themselves for which physicians are held accountable.

Yet stories like this, along with security breaches, lost medical data, unencrypted disks and tapes, etc., appear almost weekly.

If medical errors are "avoidable", how about healthcare IT errors? What types of incompetence allowed such events to occur, and why are those responsible not held accountable in no uncertain terms?

Hospital Addresses Online Privacy Mistake, Pittsburgh, PA

Patients Can No Longer See Other Patients' Information Online [thank God for that -ed.]

Friday, January 9, 2009

A former patient at West Penn hospital went online to pay her bill and discovered she had access to other patients' information.

Dana DeMarco showed Target Eleven Investigator Rick Earle how she was able to view information on 85 other patients.

That information included the patient's name, address, medical procedure and costs.

"I was just kind of in shock and disbelief and I was like, 'Who can see my information?' is my first reaction because of the privacy issues and it's really a personal private issue. And I was like, 'Who can see my information?' and do these people realize that other people can access their hospital bills online?" DeMarco questioned.

DeMarco said she sent two e-mails alerting the hospital but got no response [sounds like a typical IT help desk - ed.]

DeMarco then contacted Target Eleven [apparently, the news station investigative reporter section - ed.]

When Earle contacted the hospital, hospital officials began an investigation.

A hospital spokesman blamed the problem on a temporary data translation error involving a third-party billing partner. [So, was the computer at fault? I don't think so. Allow me to perform a 'translation': to save some bucks the hospital outsourced a key function to a cheap, external company named Mediocrity, Inc. - ed.]

"We immediately disabled the online bill payment service to complete a full audit of the system. We are working to institute additional safeguards and cross-checks with out third party service to ensure that this issues is completely resolved [this time around - and at this hospital - ed.]," said spokesman Dan Laurent.

Laurent said this was an isolated incident and that only 15 patients had their information viewed.

"Only" 15 patients had their confidential information viewed by - who knows? Well, we should be relieved ... I guess.

I have often written that health IT should be subject to the same rigor - and accountability - as medicine itself.

Yet not long ago I received at my home, addressed to me via the computer, as if I had ordered it, a facial X-ray report of a woman who probably suffered an assault of some kind (domestic abuse?) from the facility where I'd done my residency 20 years ago.

Problem is, I hadn't worked at that hospital since then or ordered any x-rays on anyone whatsoever, anywhere, in fifteen years.

-- SS

No comments: