Just when you think it’s safe to provide your Social Security number on your doctor’s intake forms, another wave of medical data breaches crashes over our hopeful heads and reminds us that less (personal detail) is more.
That’s because medical data breaches at large, major medical centers are all over the place again this month. Will a $40 million lawsuit in Canada — or the lawsuit by two United States veterans against the Department of Veterans Affairs — make people pay attention to such security gaffes and finally demand tighter security?
Several Canadian patients have sued Ottawa-based Montfort Hospital after a misplaced, unencrypted USB drive exposed more than 25,000 patients’ names and personal medical details. The misplaced personal information also included sensitive information for about 1,255 members of the Canadian Armed Forces.
The lawsuit accuses the Montfort Hospital of breach of contract, breach of privacy, and violating its own bylaws and Ontario’s Personal Health Information and Protection Act.
The hospital is accused of failing to ensure the memory device was password-protected and failing to disclose the loss of personal information in a timely manner.
“The contract offered peace of mind to the plaintiffs and the class members,” reads the statement of claim. “Patients believed that their personal information would be kept in a secure manner and would not be lost, disseminated or disclosed to unauthorized persons.”
Another lawsuit — this time against the U.S. Department of Veterans Affairs — alleges that a stolen laptop containing unencrypted sensitive personal and medical information of more than 7,000 veterans will cause long-term harm. The lawsuit says the loss of such data subjects the veterans to possible identity theft and medical insurance abuse, and that such threats will continue to harm the veterans far into the future.
The case stems from a missing government laptop at Columbia’s Dorn VA Medical Center; the lawsuit filed in federal court seeks unspecified damages as well as class-action status.
The lawsuit also claims that the VA failed to implement basic computer safeguards, even after a 2006 data breach exposed information on more than 17 million veterans and their families.
“These vets who have served in Iraq and Afghanistan deserve better,” said attorney Michael Kelly, one of the lawyers representing the two U.S. veterans.
Meanwhile, about 130,000 Indiana patients got a shock of a lifetime when they received a letter on May 10 warning them their sensitive information was included in a recent health data breach.
In this instance, an unencrypted laptop at Indiana University Health Arnett was stolen from an employee’s car. The laptop contained patients’ names, dates of birth, physicians’ names, medical record numbers, diagnoses, and dates of service. Luckily, patients’ Social Security numbers were not included on the laptop.
But patients in Tennessee are not quite as fortunate. The Regional Medical Center in Memphis is notifying about 1,200 patients of a HIPAA data breach that included the patients’ protected health information and Social Security numbers. The hospital says an employee sent out three unsecure emails containing the sensitive personal information in late 2012, though the incident wasn’t discovered until March 15, 2013. The unsecured emails included patients’ names, Social Security numbers, dates of birth, account numbers, phone numbers, and outpatient physical therapy services data.
Finally, at Presbyterian Anesthesia Associates in North Carolina, a hacker broke through a security flaw of the practice’s website in early May. The hacker not only gained access to credit card numbers for nearly 10,000 patients, but also to a database of names, contact information, and dates of birth.