Thursday, October 21, 2010

Medical data breach of the week - but your EMR data is secure, trust us, we're IT experts

I have written frequently about the pipe dream of secure national electronic medical records, such as in February 2010 at my post "Networked EMR's and Healthcare Information Security: Practical When Massive IT Security Breaches Continue?", my post "Networked, Interoperable, Secure National Medical Records a Castle in the Sky?", as well as "Operation Aurora And a Widespread Reluctance to Discuss IT Flaws: Is Universal Healthcare IT Really a Good Idea in 2010?" and others.

I was also quoted on July 30, 2010, in a Philadelphia Inquirer story about the theft of a laptop computer with data on 21,000 patients from Thomas Jefferson University Hospital here, and also interviewed August 2 by local NPR station WHYY-91FM, where I stated:

"There is almost no excuse for unencrypted data to be sitting on any computer at a hospital or any organization," said Scot Silverstein, a Drexel University expert on health-information technology.

In the latest health-data-on-computer-theft-of-the-week, the Inquirer ran this story today about a local theft ten times as large as July's:

Medical-data breach said to be major
A computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing - one of the largest recent security breaches of personal health data in the nation.

"We deeply regret this unfortunate incident," said Jay Feldstein, the president of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan.

The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state's Department of Welfare, which has oversight.

There is little more I can add to my prior postings on this issue except the words of privacy advocate, psychiatrist Dr. Deborah Peel:

The security failure, one of the several largest in nearly two years, involves nearly two-thirds of the insurers' subscribers. It became known only after The Inquirer requested information Tuesday evening. The insurers said the drive was missing from the corporate offices on Stevens Drive in Southwest Philadelphia. It noted that the same flash drive was used at community health fairs.

"That seems grossly irresponsible," said Dr. Deborah Peel, a Texas psychiatrist who heads Patient Privacy Rights, an advocacy group.

"Why would you be hauling around private patient information to a health fair," she said. "I can't imagine what they were thinking, taking this data out of a locked room at company headquarters.

"What's tragic is that this is a particularly vulnerable group of people," Peel said. "They tend to be vulnerable to identity theft, vulnerable to discrimination." Medicaid recipients are low-income people.


As to encryption (a built-in feature of the upper tier versions of Windows and of Mac OS X):

They [the companies] would not comment on the riskiness of taking the drive to health fairs, nor would they say whether the data on the drive was encrypted.

Highly likely translation: no.

The companies issued an apology:

"At Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, our number one priority is our members. Since reporting this unfortunate incident to the Department of Public Welfare, we have actively and responsibly executed a multifaceted plan to inform those affected, while also evaluating and enhancing our security measures to ensure this does not happen again."

[Did any employee have their "privileges revoked" -- the medical term of art for a physician who is 'fired' -- I wonder? - ed.]

Perhaps the executives in charge of this data, as well as the IT department, should read stories like the aforementioned July 30, 2010 story.

However, I fear there are those who are ineducable or hopelessly irresponsible when it comes to acting cautiously and responsibly regarding computer-based medical information, in the poorly bounded, complex, unpredictable world of healthcare.

That is not to even mention deliberate theft for personal gain.

This is why the dream of
secure national electronic medical records seems a pipe dream for the foreseeable future.

-- SS

10/23 Addendum

in an updated story, the Inquirer reports the data was indeed unencrypted, although the companies claimed an encryption project was in progress.

No comments: