Thursday, September 08, 2011

New way to get kids interested in medicine: post confidential medical records on a homework site?

Was this a new way to get kids interested in medical careers?

Or was it an accident due to the highest levels of negligence associated with lowest/cheapest standards in hiring for mission critical roles?

Patient Data Posted Online in Major Breach of Privacy
New York Times
Sept. 8, 2011
Kevin Sack

A medical privacy breach at Stanford University’s hospital in Palo Alto, Calif., led to the public posting of medical records for 20,000 emergency room patients, including names and diagnosis codes, on a commercial Web site for nearly a year, the hospital has confirmed.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called “Student of Fortune,” which allows students to solicit paid assistance with their school work. Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

To teach the kids to be medical bean counters at an early age, perhaps?

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford incident spotlights the persistent vulnerability posed by legions of outside contractors who gain access to private data.

In the Oct. 2009 post "Private medical records offered for sale" I wrote about how such data was for sale by onion-like layers contractors - cheap.

The spreadsheet contained names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birthdates, credit-card accounts or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.

(Partial) luck prevailed - this time.

The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took “aggressive steps,” [i.e., its CIO made a quick, panicky phone call - ed.] and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.

Perhaps "aggressive steps" should have been taken before private medical data was published on a kid's homework site?

It is clearly disturbing when this information gets public,” he said. “It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that.”

Would "Master of the Obvious" (a favorite line of my early medical mentor, cardiothoracic surgeon/polymath Dr. Victor P. Satinsky, be too kind a response to this statement?

Diane Dobson, of Santa Clara, Calif., said her “jaw dropped” on Saturday when she intercepted the letter from Ms. Meyer addressed to her 21-year-old son, who she said received emergency psychiatric treatment at Stanford in 2009. Ms. Dobson said it could have been disastrous if her son, who lives at home, had learned that his name was linked online to a diagnosis for psychosis.

“My son, I can tell you, is fragile and confused enough that this would have sent him over the edge,” Ms. Dobson said. “Everyone with an electronic medical record is at risk, and that means everyone.”

My sympathies go out to this mother and her son. Her concerns show that cavalier attitudes towards EMR's can lead to catastrophe beyond identity theft or career damage.

The incident at Stanford, while egregious in its details, is far from rare. Records compiled by the Department of Health and Human Services reveal that personal medical data for more than 11 million people has been improperly exposed during the last two years alone ... The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.

I'm certain there is an increasing amount of critical medical data being withheld by patients as publicity about these breaches become more well-known.

The breaches at Stanford reinforce that even the most prestigious medical centers are not immune to risk.

Massachusetts General Hospital in Boston, which trains Harvard medical students, agreed this year to pay a $1 million federal fine after an employee left paper medical records on a subway train while commuting to work. The pages contained the names of 192 patients, and diagnoses for about a third of them, including for H.I.V./AIDS. They were never recovered.

I note these are both pioneers in electronic health records. Imagine what might be happening at Podunk Hollow General Hospital...

Mr. Migdol said the hospital had concluded that “there is no employee from Stanford Hospital who has done anything impermissible.” He said he expected the federal Department of Health and Human Services to conduct its own investigation. Susan McAndrew, deputy director of health information privacy for the department’s Office of Civil Rights, said she could not discuss whether an investigation was in progress ... Bryan Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health care providers, said that nearly 20 percent of breaches were perpetrated by outside contractors, accounting for more than half of all the records exposed.

When you start to outsource mission critical data, you should probably be prepared to take responsibility for whomever you outsource it to.

The vendor, identified by Mr. Migdol as Multi-Specialty Collection Services LLC, based in Los Angeles, could not be reached for comment. Mr. Migdol said the company created the spreadsheet as part of a billing-and-payment analysis for the hospital. He said the hospital immediately suspended its relationship with the contractor and received written certification that previous files would be destroyed or returned securely.

Apparently someone there with access to the spreadsheet was less than careful about keeping it away from children. One wonders if they would have been more careful with pornography...

“We’re still kind of caught in the pre-high-tech trust model instead of the insurance model,” Mr. Cline said. “Health care providers say, ‘I’m going to have some contract language and then just trust that you’ll protect my data because if you don’t I’m going to sue you.’ That just doesn’t work, as we can see. You have to do due diligence, something to assure yourself that the people you’re giving your data to can be trusted.”

I'd say we're still in the stone age with respect to our irrational exuberance about health IT. See my series of articles on these issues at these query links: computer security, medical record privacy, medical record confidentiality.

A fundamental set of rules in today's hire-on-the-cheap, keep-staffing-minimal environment is this:

1. If you want information to be kept secure, don't place it on a computer.
2. If you place the information on a computer, don't place the computer on a network.
3. If you place the computer on a network, the information is no longer secure.

In our current culture I do not believe these issues to be easily remediable, but hiring the truly best and brightest (after satisfactory scores in a very hard test in critical thinking skills) into IT roles - including design, implementation, and management - might be a start.

-- SS


Anonymous said...

Patients should demand that their information NOT go on an EMR. Wonder if there would cause for legal action if they did not abide?

InformaticsMD said...

Considering they are not given the opportunity for informed consent to the use of unregulated EMR medical devices mediating their care, that is an interesting question.

-- SS

InformaticsMD said...

A reader wrote in to say that this data was posted from medical billing records, not EHR records, and that the breach [of 20,000 ED records containing names, diagnosis codes, account numbers, admission and discharge dates, and billing charges, likely generated from the clinical EHR components - ed.] would have occurred "even if the practices had used stone tablets for record keeping."

On the former point: a difference that makes no difference is not a difference.

On the latter point: I think not.

-- SS

Live IT ot Live with IT said...

Thank goodness no one was harmed, again. Or at least if someone was harmed, they can't figure out why.