Article first published as Do You Know Where Your Sensitive Medical Information Is Right Now? on Technorati.
We all know that doctors and hospitals screw up sometimes. We’ve heard of surgeons amputating the wrong limb, or patients being given the wrong medication, or some other egregious mistake.
But do hospitals make other mistakes that might be putting you and your family in harm’s way – even when you’re not physically at the hospital?
Turns out, yes, that problem is happening quite frequently due to the frailty of online medical records.
Just take the recent case in California that affected 20,000 innocent people who had nothing in common except for the fact they had each visited the same emergency room over a six-month period.
Multi-Specialty Collection Services, a Stanford University hospital billing sub-contractor, had a detailed spreadsheet of 20,000 emergency room patients seen in the department between March 1, 2009-August 31, 2009. The unencrypted file – which contained patient names, billing charges, and medical record numbers – was somehow accessed inappropriately and then posted online.
A former patient at Stanford Hospital and Clinics first spotted the file online and immediately notified the hospital.
A hospital spokesman confirmed that the medical file was removed from the website upon learning of the data breach. The spokesman said patients’ Social Security numbers were not involved in the breach, though the hospital is still offering affected patients free identity-protection services.
The Palo Alto, California-based incident spotlights the ongoing weaknesses for patients all around the country who allow hospitals and outside contractor access to sensitive information.
Twist of Irony
In a strange twist of irony, 2,000 patient files were hacked at Beth Israel Deaconess Medical Center in Boston this past summer. And Dr. Kevin Tabb, the former chief medical officer at Stanford Hospitals and Clinics, will become the new CEO of Beth Israel in Boston this month.
In the Beth Israel case, a machine at the Boston hospital was found to be infected with a computer virus, which transmitted data files to an unknown location. The computer contained medical record numbers, names, genders, and birth dates of 2,021 patients, as well as the names and dates of radiology procedures they had undergone.
Not the First Time
Both the Stanford University and Beth Israel data breaches are merely symptoms of a much larger problem with sensitive patient information being shared online.
In fact, the U.S. Department of Health and Human Services maintains an ongoing database of medical data breaches affecting 500 or more individuals.
Some breaches are due to lost paper files, but many are due to “network server” or “laptop” issues.
Not to mention breaches in Big Pharma, with the massive Epsilon data breach revealing that hacking can go far beyond simply exposing customer names and emails.
Indeed, pharma giant GlaxoSmithKline later alerted customers via email that their email addresses and names were compromised and that the stolen information may have identified the product website on which they registered their medical conditions.
These sobering statistics beg the question: how many more online data thefts have not yet been noticed?
If not for the alert patient in California who spotted the Stanford medical file, how much longer would that sensitive information remained online?
Just Say No!
Do you know who has access to your sensitive medical information right now? Consider that question the next time you are filling out a form in person or online. Guard your Social Security number for yourself, and your children, as overusing your number is one of the main causes of identity theft.
Outside of the medical setting, it’s best to question why anyone is requesting access to Social Security numbers at all, especially for your children. After all, you do not have to turn over your child’s Social Security number in order for them to play in youth sports leagues and various school activities.
The fewer people who have access to your family’s sensitive personal information, the better.