Tuesday, October 20, 2009

Private medical records offered for sale

Private medical records have been offered for sale in the U.K.

And quite cheaply, too...

e-Health Insider (Europe)
Private Medical Records Offered for Sale
Oct. 20, 2009

Medical records of patients treated at a private British hospital, The London Clinic, have been illegally sold to undercover investigators.

The revelations were made in ITV’s Tonight Programme report, Health Records For Sale, broadcast last night.

The programme reported that hundreds of files containing details of patients’ conditions, home addresses and dates of birth were offered to undercover reporters for just £4 each by sales executives from India, contacted online.

That's about $6.56 U.S. each. A genuine bargain for those intrepid medical identity thieves, and pesky government death panels ...

The records offered for sale appear to have been medical records that consultants working at the London Clinic, the hospital processes its own records internally, who contracted with a firm called DGL (DGL) Information Technologies UK to digitise their records.

DGL is then claimed to have sub-contracted to another firm, Scanning and Data Solutions (SDS), which scanned them into computers in the UK. SDS in turn is said to have sub-contracted further work on the files to a company in Pune, India, which had signed tight confidentiality agreements.

With all this contracting and subcontracting - four layers? - adding potential security breach possibilities, and if this is not an uncommon practice, perhaps paper is safer than electronic health records?

... The reporters bought more than 100 records belonging to UK patients but were told they could obtain up to 30,000 more on demand. Confidential records were offered by condition such as particular cancers.

Of 116 files bought by ITV, 100 of which were confirmed as genuine, were for patients who had been treated in private hospitals. Although not NHS records they did contain some NHS data, including referral letters from GPs.

The potential abuses resulting from such sales are of great concern. If it happened in the UK, it can happen in the U.S.

One patient whose record was affected by the security breach said in the documentary that the data breach was ‘one step up from grave-robbing’.

I agree with that assessment.

These practices call for the most severe penalties, and if the authorities lack the will, confidence in EMR privacy, confidentiality and security will suffer, along with the physician-patient relationship.

The old ST:TOS line "Sometimes a man will tell his bartender things he'll never tell his doctor" could become too applicable for comfort.

Sometimes a man will tell his bartender things he'll never tell his doctor ... especially if they suspect their data is for sale to the Talosians, Captain ...

-- SS


Anonymous said...

As a business person my question is margins and fair pricing. If a person can contract a function and then move through three more subcontractors, each making a profit on the transaction, somebody is overpaying.

One of the fun exercises we did in graduate school was play telephone. A simple statement was started with one student and 20 people later what was said had nothing to do with the original statement. Four contracts later all of the "signed" statements in the world are not going to direct the behavior or those doing the work.

These are all basic concepts, but I guess where computers are involved, there can be no wrong.

Steve Lucas

InformaticsMD said...

Four contracts later all of the "signed" statements in the world are not going to direct the behavior or those doing the work.


Thanks for those insights.

The overpayment issue is clear.

I was thinking that those contract-subcontract-subsubcontract-subsubsubcontract practices raised the risk of breaches. I just underestimated by how much.

Are you familiar with the book "Seven Lean Years" (1999, Tom Nadeau) that describes the contract-subcontract game as a "towering champagne fountain, flowing with money instead of alcohol"?

Anonymous said...


Do not know the book but "champagne fountain" sounds about right. My wife is a policy person in a government office and what they attempt to do is meet with the programers, not supervisors, anytime there is a major project. The reality is what the programers have been told, and what the desired end results are often two very different products.

Communications need to be cleat and concise.

As you move away from the two original parties nuance and context are lost.

As you have pointed out many times, the best situation is where the programer and end user work together on the product. This concept of customer and worker interacting will work in almost any field.

Steve Lucas