WellPoint and UCLA privacy breaches
WellPoint probing data breach for 130,000 members
Reuters
April 9, 2008
Health insurer WellPoint Inc is investigating the cause of a breach involving protected health information for about 130,000 members, the company said on Wednesday.
The largest U.S. health insurer by membership said it recently discovered data became publicly available over the Internet in the past 12 months.
WellPoint, which offers an array of insurance through public and employer-sponsored plans, declined to identify which type of members were involved, or which states they were in, beyond saying they were in several.
http://www.reuters.com/article/domesticNews/idUSN0921842120080409
And…
Snooping in records has a history at UCLA
By Charles Ornstein
Los Angeles Times
April 11, 2008
Though UCLA Medical Center has portrayed recent privacy breaches as the rare actions of rogue employees, the hospital has known since at least 1995 that staffers were peeking into the medical records of such prominent patients as Tom Cruise and Mariah Carey — and even spying on one another’s medical care, according to records and interviews.
The stakes for hospitals grew in 2003 when a federal law, the Health Insurance Portability and Accountability Act, put in place criminal and civil sanctions for breaches of patient confidentiality.
It appears that UCLA has not gone as far as a major competitor — Cedars-Sinai Medical Center — in providing extra security for the files of high-profile patients.
UCLA officials said this week that every day they audit the medical records of 72 high-profile people who have been patients to monitor which employees view them. Cedars-Sinai reviews 10 times as many.
Only certain employees can access the records at Cedars-Sinai, and if an unauthorized user so much as attempts to get in, he or she can be fired.
Cedars-Sinai spokesman Richard Elbaum said the hospital also uses real-time alerts to signal inappropriate access of certain medical records. And the records of high-profile patients have a special on-screen warning that reads, “This patient record is restricted. All accesses are logged and audited. Inappropriate accesses are grounds for disciplinary action and/or dismissal.”
http://www.latimes.com/news/printedition/california/la-me-ucla11apr11,1,878793,full.story
Comment:
By Don McCanne, MD
Electronic medical records (EMRs) and integrated information technology systems (IT systems) will reduce health care costs in the future. At least that is what the politicians would have you believe, though the systems are expensive and will increase net costs since the expense and maintenance would more than offset any efficiency improvements.
Although EMRs and IT systems are helpful tools, they introduce exposure to privacy breaches that have implications far beyond those of paper records. Looking through a patient’s paper chart is one thing, but obtaining digital information that can be unleashed over the Internet for all the world to see, without any possibility of retracting the release of that information, is quite another.
Representatives of the IT industry claim that information is made secure through encryption. Even if the encryption involves a gazillion steps to access information, individuals such as physicians, nurses, pharmacists, billing administrators, and the patients themselves, who need that information, must be able to access it. It is impossible to create a security system that ensures appropriate access only to those with a need to know, while excluding access to every single other individual who has no right to that information.
Contrasting themselves with UCLA, the officials at Cedars-Sinai gloat that they have adopted extra measures to protect the information of high-profile patients. The implication is that the medical information about most of us does not warrant the same security level, and thus is more vulnerable to breaches. But even for the high-profile patients, many individuals would have legitimate access to those records. How can any administrator ever be certain that each individual with access would never abuse the responsibility that goes along with knowledge of patient’s most intimate medical history and findings? And there is no way to prevent others with nefarious intents (hackers) to access records if they really want the information.
The next politician who claims that we will control costs through EMRs and IT systems needs to be immediately confronted with this request. “Please explain precisely the technology that will be used to ensure that our private medical information can NEVER be unleashed on the Internet.” They will not have an answer, because it doesn’t exist.