Invasion of medical records, hospital privacy on rise

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.dailybreeze.com/health/20141115/invasion-of-medical-records-hospital-privacy-on-rise

She had jabbed pencils into her eyes to try to kill herself.

When the woman was brought to a Los Angeles County emergency room in 2012
alive and in pain, a hospital employee snapped a photograph, breaking a
federal patient privacy law.

Two years later, when that photograph appeared on a website that features
gory images, the patient’s medical information had been shared publicly,
violating a state regulation.

The woman’s story is extreme, but her experience is an example of how her
privacy was violated and her medical data breached. Both crimes, which are
on the rise, can lead to identity theft or to misuse of information by
health insurance companies, said Pam Dixon, executive director of the San
Diego-based World Privacy Forum.

“The employee disclosed sensitive information about the patient
inappropriately and then when the photograph was posted online and went
viral, that constituted a data breach,” Dixon said. “That data breach is
against the law.”

California state law requires hospitals to report breaches of patient
medical data. The number of incidents investigated by the California
Department of Public Health rose to 4,213 last year, or an 81 percent
increase from 2009 when there were 2,333 cases.

On a federal level, the Health Insurance Portability and Accountability Act
of 1996 or HIPAA is supposed to ensure privacy and confidentiality of
identifiable health information among other protections.

But complaints filed with the U.S. Department of Health and Human Services
have risen steadily. In 2013, there were 12,915 complaints filed across the
nation, nearly double the number filed in 2004. Dixon said that under the
Affordable Care Act all hospitals, clinics and physicians were pushed to
digitize medical records to boost efficiency. But not enough has been done
to ensure privacy, which in turn places consumers at risk.

“It is one of the great oversights of the Affordable Care Act,” Dixon said.
“The rate of data breach is not acceptable. It’s a big deal because privacy
exists in the details.”

The vast majority of breaches investigated by the California Department of
Public Health involve unintentional disclosures of medical information that
would include documents that are delivered, mailed or faxed to an
unintended recipient, state officials said.

Health department officials said they could not comment on what individuals
do with medical information that is accessed without authorization because
there are too many different scenarios.

“However, many unintentional breaches that we have investigated involve an
unauthorized access of medical information that does not result in any
further use or disclosure of this information,” according to a California
Department of Public Health statement.

HIGH-PROFILE BREACHES

Notable and extreme cases involving celebrities have put a spotlight on the
problem and led to the establishment of a hefty penalty system. In 2011,
UCLA agreed to pay a penalty of $865,500 as part of a settlement with
federal regulators after Farrah Fawcett and another celebrity patient
alleged that hospital employees reviewed their medical records without
authorization. Later in 2011, UCLA was sued for violating a California law
after burglars took a laptop from a physician’s home that contained the
medical records and other personal information belonging to 16,000 patients.

In another case that year involving social media, officials with Providence
Holy Cross Medical Center in Mission Hills dismissed an employee hired from
a staffing agency for posting a patient’s medical information on his
Facebook page, apparently to make fun of the woman’s name and her medical
condition.

And this fall, two nurses were fired from the Nebraska Medical Center in
Omaha after they allegedly looked at the medical file of an American aid
worker infected with Ebola, according to published reports. Officials at
the hospital told reporters that an audit of the hospital’s electronic
medical records led to the discovery that two employees had inappropriately
accessed Dr. Rick Sacra’s file and that their actions violated federal
patient privacy regulations.

“There’s zero tolerance for this at all hospitals,” said Jennifer Bayer,
spokeswoman for the Hospital Association of Southern California. “That kind
of training has been going on and special attention has been on social
media.”

Bayer said hospitals have expensive software in place that allows staff
only at specific levels to access certain records. And there are other
controls in place, such as staff watching over staff.

“Some programs are robust and some are very expensive, but that’s what
hospitals are trying to do, especially with high-profile patients, such as
those with Ebola or celebrities,” Bayer said.

But there are challenges. Physicians are able to access medical records
outside the hospital. There are concerns about laptops that are stolen,
which also has happened.

“There’s a lot of work in encrypting that information,” Bayer said.
“Patients should have an expectation that their information is private.
They should feel comfortable knowing that.”

The woman who tried to kill herself by plunging pencils in her eyes has
since received psychiatric help, has learned Braille and is taking college
classes. But when she learned that her image had become public, she became
distressed, her attorney said in a recent complaint filed against Los
Angeles County-USC Medical Center. The woman is suing the hospital and
those involved for inflicting emotional distress and for breaching her
personal medical records. The complaint outlines how a nurse took a
photograph of the woman, dubbed Jane Doe. The photo was passed on to
another woman whose son then obtained the image and posted it twice on the
Internet.

Dixon, of the World Privacy Forum,said such inappropriate behavior among
medical staff is rare, and most hospitals work hard to comply with the law.
But once a medical file is breached or a patient’s information is leaked,
it can be too late.

“When there’s a privacy breach, there are serious consequences that can be
had there,” Dixon said. “My concern is in the rush to digitize all of our
records, that sometimes privacy goes by the wayside.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!