As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials.
Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.
On May 14, federal prosecutors charged one of the hospital’s medical technicians with violating the Health Insurance Portability and Accountability Act (HIPAA). Prosecutors allege that over a 17-month period, Laurie Napper used her position at the hospital to gain access to patients’ names, addresses and Medicare numbers to sell their information. A plea hearing has been set for June 12. Napper’s attorney declined to comment.
Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients’ files onto a personal laptop, which was stolen from the contractor’s car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital news release, those files included names, addresses and Social Security numbers — and, in a few cases, “diagnosis-related information.”
Howard University spokesman Ronald J. Harris said in an e-mail that the two incidents are unrelated but declined to answer further questions. In its news release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data.
Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen medical information for almost 800,000 people — more than one of every four residents of the state.
And in November, TRICARE, which handles health insurance for the military, announced that a trove of its backup computer tapes had been stolen from one of its contractors in Virginia. The tapes contained names, Social Security numbers, home addresses and, in some cases, clinical notes and lab test results for nearly 5 million patients, making it the largest medical data breach since the Department of Health and Human Services began tracking incidents 21 / 2 years ago.
As recently as five years ago, it’s possible no one outside Howard University would have known about the incidents there. But reporting rules adopted as part of the 2009 stimulus ensure that the public knows far more about medical data breaches than in the past. When a breach occurs that affects 500 or more patients, health-care providers must notify not only HHS but also the news media.
According to an HHS database, more than 40 percent of medical data breaches in the past 21 / 2 years involved portable media devices such as laptops or hard drives. Deven McGraw, head of the health privacy project at the Washington-based Internet advocacy group Center for Democracy & Technology, said many of these incidents were avoidable. “We have technology that can help save us when we’re all too human,” she said.
Cloud storage, password protection and encryption are all measures health-care providers could be taking to make portable electronic health records more secure, McGraw said.
Another thing that might make health-care providers tighten their security is the potential of facing hefty fines if their patients’ data are breached. But until recently, providers haven’t had to worry much about this.
Since the enactment of HIPAA in 2003 until late last year, there were more than 22,000 complaints about violations of the law’s privacy rule. HHS assessed a monetary penalty only once, according to a report it gave to Congress. Although the department has the power to issue subpoenas when enforcing HIPAA, it has only used that power twice since 2003.
“The industry is very interested and responsive to correct the mistakes that they make and improve their privacy policies, so it’s not necessary for us to resort to these types of penalties,” said Susan McAndrew, deputy director for health information policy at HHS’s Office of Civil Rights.
HHS was criticized for lax enforcement at a Senate hearing in November. In the six months that followed, the department reached settlements in several HIPAA cases with penalties totaling more than $1.5 million.
McGraw said HHS was losing credibility on the enforcement issue, so she’s pleased by the department’s rapid response to its Senate grilling.
But, she said, federal regulators can only do so much. While the benefits of electronic health records far outweigh the risks, she said, those risks can only be mitigated — not eliminated.
“No matter how good you make the technology,” McGraw said, “we’ll never get the risk down to zero. But we can do a lot better than we have been doing.”
Kaiser Health News is an editorially independent program of the Henry J. Kaiser Family Foundation, a nonprofit, nonpartisan health policy research and communication organization not affiliated with Kaiser Permanente.