And quite cheaply, too...
e-Health Insider (Europe)
Private Medical Records Offered for Sale
Oct. 20, 2009
Medical records of patients treated at a private British hospital, The London Clinic, have been illegally sold to undercover investigators.
The revelations were made in ITV’s Tonight Programme report, Health Records For Sale, broadcast last night.
The programme reported that hundreds of files containing details of patients’ conditions, home addresses and dates of birth were offered to undercover reporters for just £4 each by sales executives from India, contacted online.
That's about $6.56 U.S. each. A genuine bargain for those intrepid medical identity thieves, and pesky government death panels ...
The records offered for sale appear to have been medical records that consultants working at the London Clinic, the hospital processes its own records internally, who contracted with a firm called DGL (DGL) Information Technologies UK to digitise their records.
DGL is then claimed to have sub-contracted to another firm, Scanning and Data Solutions (SDS), which scanned them into computers in the UK. SDS in turn is said to have sub-contracted further work on the files to a company in Pune, India, which had signed tight confidentiality agreements.
With all this contracting and subcontracting - four layers? - adding potential security breach possibilities, and if this is not an uncommon practice, perhaps paper is safer than electronic health records?
... The reporters bought more than 100 records belonging to UK patients but were told they could obtain up to 30,000 more on demand. Confidential records were offered by condition such as particular cancers.
Of 116 files bought by ITV, 100 of which were confirmed as genuine, were for patients who had been treated in private hospitals. Although not NHS records they did contain some NHS data, including referral letters from GPs.
The potential abuses resulting from such sales are of great concern. If it happened in the UK, it can happen in the U.S.
One patient whose record was affected by the security breach said in the documentary that the data breach was ‘one step up from grave-robbing’.
I agree with that assessment.
These practices call for the most severe penalties, and if the authorities lack the will, confidence in EMR privacy, confidentiality and security will suffer, along with the physician-patient relationship.
The old ST:TOS line "Sometimes a man will tell his bartender things he'll never tell his doctor" could become too applicable for comfort.