Print — The Washington Post — June 2, 2012
As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials.
Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.
On May 14, federal prosecutors charged one of the hospital’s medical technicians with violating the Health Insurance Portability and Accountability Act, or HIPAA. Prosecutors say that over a 17-month period Laurie Napper used her position at the hospital to gain access to patients’ names, addresses and Medicare numbers in order to sell their information. A plea hearing has been set for June 12; Napper’s attorney declined comment.
Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients’ files onto a personal laptop, which was stolen from the contractor’s car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital press release, those files included names, addresses, and Social Security numbers — and, in a few cases, “diagnosis-related information.”
Ronald J. Harris, Howard University’s top spokesman, said in an e-mail that the two incidents are unrelated, but declined to answer further questions. In its press release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data.
Still it could have been worse. Much worse.
About this story
A version of this story appeared in The Washington Post on page A6 of the newspaper’s Sunday, June 3, 2012, edition. It was written in collaboration with Kaiser Health News, an independent health policy news service. The version of the story presented here appeared on Kaiser Health News’ website.
Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen personal medical information for almost 800,000 people — more than one of every four residents of the state.
And last November, TRICARE, which handles health insurance for the military, announced that a trove of its backup computer tapes had been stolen from one of its contractors in Virginia. The tapes contained names, Social Security numbers, home addresses and, in some cases, clinical notes and lab test results for nearly 5 million patients, making it the largest medical data breach since the Department of Health and Human Services began tracking incidents two and a half years ago.
As recently as five years ago, it’s possible no one outside Howard University would have known about the incidents there. But, new reporting rules adopted as part of the 2009 stimulus act insure the public knows far more about medical data breaches than in the past. When a breach occurs that affects 500 or more patients, health care providers now must notify not only HHS, but also the media.
Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, a Washington-based Internet advocacy group, said the number of incidents is growing with the increased use of digital health records. The health care industry, she added, has been slow to respond.
“Many financial companies have used encryption for years and they probably wonder what the heck is going on with the health care industry,” McGraw said. “It’s much cheaper to deploy safeguards than to suffer a breach.”
This growing problem puts HHS in a tough spot. It is pushing hospitals and doctors to adopt electronic health records, but it’s also responsible for punishing health care providers who fail to properly secure their patients’ records.
“Mistakes happen, incidents happen, corners get cut from time to time,” said Susan McAndrew, deputy director for health information policy at HHS’s Office of Civil Rights. “That’s where we come in.”
What Is A Data Breach?
While a medical data breach can lead to everything from identity theft to billing fraud to blackmail, some breaches ultimately have little consequence on the patients affected. When a medical data breach occurs, it simply means that patient information was, at some point in time, unsecured. For example, in the incident with the Howard University contractor, it’s unlikely the person who stole the laptop out of the contractor’s car knew – or cared – that there was medical data on it.
According to an HHS database, more than 40 percent of medical data breaches in the past two and a half years involved portable media devices such as laptops or hard drives. McGraw said many of these incidents were entirely avoidable.
“We have technology that can help save us when we’re all too human,” she said.
Cloud storage, password protection and encryption are all measures health care providers could be taking to make portable electronic health records more secure, McGraw said.
Another thing that might make health care providers tighten their security is the potential of facing hefty fines if their patients’ data are breached. However, until very recently, providers haven’t had to worry much about this.
Since the enactment of HIPAA in 2003 until late last year, there were more than 22,000 complaints about violations of the law’s privacy rule. HHS issued a monetary penalty only once, according to a report it gave to Congress. Though the department has the power to issue subpoenas when enforcing HIPAA, it has only used that power twice since 2003.
“The industry is very interested and responsive to correct the mistakes that they make and improve their privacy policies,” McAndrew said, “so it’s not necessary for us to resort to these types of penalties.”
Senate Grilling
HHS was criticized for lax enforcement at a Senate hearing in November. In the six months that followed, the department reached settlements in several HIPAA cases withpenalties totaling more than $1.5 million.
McGraw said HHS was losing credibility on the enforcement issue, so she’s pleased by the department’s rapid response to its Senate grilling.
But, she said, federal regulators can only do so much. While the benefits of electronic health records far outweigh the risks, McGraw said, those risks can only be mitigated — not eliminated.
“No matter how good you make the technology,” McGraw said, “we’ll never get the risk down to zero. But we can do a lot better than we have been doing.”
Largest Data Breaches
Since 2009, federal law has required health care providers to report to the Department of Health and Human Services and the news media all data breaches affecting 500 patients or more. These are the top 10 largest medical data breaches since then.