Almost a decade after a new law went into effect to strengthen health privacy protections, the number of breaches of patient records and databases across the U.S. suggests that personal health information is not as private or secure as many consumers might want or expect.
Since fall 2009, more than 400 large health care breaches affecting at least 500 people and more than 50,000 smaller breaches have been reported to the federal government.
One of the largest unauthorized disclosures in recent history of medical records and other private information happened in September, when computer tapes were stolen that contained data on almost 5 million people enrolled in TRICARE, the nation’s health program for military members, their families and retirees.
Some breaches have resulted in personal information being revealed online. The names and diagnosis codes of almost 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., were posted on a commercial website for nearly a year before it was discovered in September and taken down.
In Illinois, breaches since September 2009 have exposed private data on more than 250,000 people combined, including health records collected by several hospitals, a medical lab, a radiologist practice, a hospice and the Cook County Health and Hospitals System, which has had three breaches, according to a government database.
Such breaches can lead to identity theft, credit card fraud or fraud against the Medicaid or Medicare programs. If medical records are altered as a result of an individual posing as someone else to seek health care, the real patient can be put at risk for medical errors.
“The impact is profound when there is a breach of health care information, which increasingly is being committed by people who know what they want,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group. “They are looking for specific data. … Today, medical data are among the most sought-after data for committing fraud.”
Federal officials said patient information in the TRICARE case possibly included names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. The tapes were reported stolen from a car belonging to an employee of Science Applications International Corp., a TRICARE contractor.
TRICARE officials said no financial data, such as credit card or bank account numbers, were stored on the backup tapes, but some patients in a class-action lawsuit said unauthorized charges were made on their credit or debit cards.
Health data breaches happen for a multitude of reasons, ranging from inadvertent errors by employees to intentional acts by people trying to commit crimes to failure to properly safeguard computers and other electronic devices, which can store greater amounts of information in one place.
Elizabeth Page found out that her mammography records were breached when someone hacked a computer server that stored the records of a statewide mammography registry. Before that, Page hadn’t even known that her records were in the registry or that her information also had been forwarded to a national database.
“My information went everywhere, and I have no idea where,” said Page, of Raleigh, N.C.
In most breaches, information is misplaced, stolen or lost because of simple “human error and human nature,” said Susan McAndrew, deputy director for health information privacy in theU.S. Department of Health and Human Services’ Office for Civil Rights.
Angela Dinh, who works in the field of health privacy, said electronic health records have been around for decades, but technological advances over the last 10 years or so have made it possible to store and rapidly transmit thousands, even millions, of records. Not all health organizations and businesses have kept up with the times in protecting it, she said, and the possibility of human error compounds the problem.
“That’s why it’s so important that the workforce is educated and trained properly about how to handle patient information,” said Dinh, director of professional practice and staff liaison for the Privacy and Security Practice Council at the American Health Information Management Association, based in Chicago.
The Health Insurance Portability and Accountability Act, or HIPAA, established standards for the privacy and security of individuals’ health care information, spelling out how it can be used and disclosed by certain individuals and organizations such as doctors’ offices, hospitals and health insurers.
Breaches by those regulated under HIPAA must now be reported to the federal government — and to the patients affected.
New laws have given federal officials added powers to investigate breaches and impose hefty fines for violations.
Last month, BlueCross BlueShield of Tennessee agreed to pay $1.5 million to settle potential HIPAA violations after 57 unencrypted computer hard drives containing private health data on more than 1 million people were stolen from a leased facility.
The insurer has been required to take additional steps to secure such information, McAndrew said.