medical records

CA proposes medical record privacy rules

Anne Zieger — Tue, 02 Sep 2008 05:20:43 -0400

The California legislature is considering a new bill that imposes health data privacy protections above and beyond those already required by HIPAA, alarmed by a recent rash of medical record snooping taking place at UCLA Medical Center. Legislators are responding to unauthorized peeping by employees at a wide range of records, including those of celebrities such as California First Lady Maria Shriver, Britney Spears and Farrah Fawcett.

Under a Senate measure, hospitals would be required to draft a plan to protect patient information. Meanwhile, the state would set up a new Office of Health Information Integrity, which would have the power to review plans and violations, as well as assess fines of up to $250,000 against people who violate patient record privacy. A companion bill, for its part, would allow fines of up to $250,000 against providers who breach patient record privacy.

To learn more about the bills:
- read this Los Angeles Times piece

Related Articles:
UCLA's medical record spying problem worse than thought
More UCLA staffers cited for record snooping
UCLA staff accused of viewing Britney Spears' records
Union fights suspensions for viewing star's records
Park Nicollet suspends employees for EMR snooping

ONCHIT plans medical identity theft town hall

Anne Zieger — Mon, 01 Sep 2008 08:17:44 -0400

Medical identity theft is quickly becoming one of the biggest security threats a health IT administrator needs to consider, given the rich trove of personal data medical records typically include. However, the industry hasn't yet reached a consensus on how to address this exploding problem. Hoping to help the process along, the Office of the National Coordinator for Health Information Technology is holding a town hall meeting on October 15. The meeting, which is scheduled from 8:30 a.m. to 4:30 p.m. at the Federal Trade Commission Conference Center in D.C., is intended to help the community get a better sense of how medical identity theft should be addressed by health IT managers. Article

GA Blue plan sends benefit letters to wrong addresses

Anne Zieger — Sun, 03 Aug 2008 14:00:49 -0400

Last week, Georgia's largest health insurer concluded that it sent about 202,000 benefits letters containing personal and health information to the wrong addresses, courtesy of a systems error. Blue Cross and Blue Shield of Georgia said the mailings were largely Explanation of Benefits letters, which include the patient's name and ID number, the name of the medical provider that delivered the service and the amounts charged and owed. Not only is the mistake a possible invitation to identity theft, but it could turn out to be a HIPAA violation as well.

The Blue plan, which has 3.1 million Georgia policyholders, said that the error occurred due to a change in one of its systems that had not been tested properly. Executives say that they've altered the system so this kind of mistake can't happen again. Meanwhile, the plan--a subsidiary of giant WellPoint--is providing free credit monitoring for affected patients for one year. It's also giving written notices to policyholders whose names were on the EOBs, and compiling a list of those who received other members' EOBs in error.

To learn more about the breach:
- read this Atlanta Journal-Constitution article

Related Articles:
WellPoint data may have been compromised
Seattle health system will pay $100K HIPAA fine
U.S. hospitals have security 'blind spot'
Trend: Identity thieves get better at stealing medical records

SC plans to launch Medicaid HIE

Anne Zieger — Sun, 13 Jul 2008 09:28:30 -0400

South Carolina officials have set plans to launch a health information exchange for the state's 700,000 Medicaid patients. The South Carolina Health Information Exchange, known as SCIEx, will connect hospitals, doctors, clinics and other healthcare providers with access to Medicaid beneficiaries' medical records. It was paid for by HHS, which contributed $250,000 to implement the system. It's also backed by the South Carolina Hospital Association, the South Carolina Primary Care Association and several state agencies.

The SCIEx system includes a records locator service along with a system that links disparate health databases. Providers will now have access to a broad medical history on patients, including diagnoses, medications and test results. Officials say this will be particularly helpful for beneficiaries who live in rural areas and may only get sporadic care or see varied doctors, as it will make sure that their histories travel with them. They also note that the new HIE should save money for the state, since it will avoid a wide range of paper, printing and storage costs.

To learn more about the HIE:
- read this article from The Greenville News

Related Articles:
Study: RHIOs/HIEs backed by states will win
Study: 75 percent of states developing HIEs
NJ set to move ahead with statewide HIE plans
Minnesota backs statewide HIE

Millions of patient billing records stolen from UT hospital

Anne Zieger — Sat, 14 Jun 2008 19:29:00 -0400

Billing records for about 2.2 million patients and guarantors were stolen last week from the University of Utah Hospitals & Clinics, just one more in what appears to be a rapidly growing flood of identity theft incidents. The data went missing when backup tapes of patient billing records were stolen from a car belonging to the University's storage contractor. The tapes, which were en route to an off-site location for disaster recovery purposes, included patient names, related demographic information and diagnostic codes for those treated at the Hospital & Clinics or by one of its providers during a 16-year period. The data also may include date of birth, physician name, insurance, driver's license number and occasionally, clinical notes corroborating diagnoses.

Hospital offices have since consulted with an information security company, which concluded that the data would only be accessible using professional equipment. Meanwhile, police, the FBI and the U.S. Postal Service have concluded that this was a random break-in. (Given the money to be made by misusing this data, I'm not sure I agree with them!)

To learn more about the break-in:
- read this Healthcare IT News piece

Related Articles:
UnitedHealthcare breach leads to UC Irvine identity thefts
Trend: Identity thieves get better at stealing medical records
The growing problem of medical identity theft
NY hospital worker charges with massive file theft

Millions of patient billing records stolen from UT hospital

Anne Zieger — Sat, 14 Jun 2008 19:28:59 -0400

Billing records for about 2.2 million patients and guarantors were stolen last week from the University of Utah Hospitals & Clinics, just one more in what appears to be a rapidly growing flood of identity theft incidents. The data went missing when backup tapes of patient billing records were stolen from a car belonging to the University's storage contractor. The tapes, which were en route to an off-site disaster recovery facility, included patient names, related demographic information and diagnostic codes for those treated at the Hospital & Clinics or by one of its providers during a 16-year period. The data may also include date of birth, physician name, insurance, driver's license number and occasionally, clinical notes corroborating diagnoses.

Hospital offices have since consulted with an information security company, which concluded that the data would only be accessible using professional equipment. Meanwhile, police, the FBI and the U.S. Postal Service have concluded that this was a random break-in. (Given the money to be made by misusing this data, I'm not sure I agree with them!)

To learn more about the break-in:
- read this Healthcare IT News piece

Related Articles:
UnitedHealthcare breach leads to UC Irvine identity thefts
Trend: Identity thieves get better at stealing medical records
The growing problem of medical identity theft
NY hospital worker charged with massive file theft

HHS awards contract for medical identity fraud study

Anne Zieger — Sat, 14 Jun 2008 16:18:17 -0400

HHS's Office of the National Coordinator for Health Information Technology has awarded a $450,000 contract to Booz Allen Hamilton to scope out the size of the medical identity theft problem in the U.S. ONCHIT defines medical identity theft as when a person's identifiable health information is improperly used by another part to obtain medical goods or services, or to submit false medical services claims. To date, note ONCHIT officials, no one is quite sure how widespread the problem is, but it seems likely that it's extensive--and anecdotal evidence suggests that the problem is growing. To address this issue, Booz Allen will assess the scope of the problem, hold a meeting to discuss how to fix it, then produce a report on how to proceed.

To find out more about this issue:
- read this iHealthBeat article

Related Articles:
The growing problem of medical identity theft
Trend: Identity thieves get better at stealing medical records
NY hospital worker charged with massive file theft
California expands health data breach rules

UnitedHealthcare breach leads to UC Irvine identity thefts

Mon, 09 Jun 2008 06:59:58 -0400

After months of investigation, it looks like a data breach at health plan UnitedHealthcare Services may be behind a large-scale rash of identity theft taking place at the University of California, Irvine. As of last week, it appeared that more than 155 graduate and medical students at UC Irvine had been hit by the identity thieves, who filed false tax returns in the victim's names and collected their tax refunds. The breach could potentially affect 1,132 graduate students enrolled with the university's graduate student health insurance program in the 2006-07 school year, officials said. The IRS notes that identity thieves have been particularly aggressive this year, as they may be able to collect not only refunds, but also the pending stimulus checks being handed out to families and individuals.

To learn more about the break-in:
- read this Computeworld piece

Related Articles:
Trend: Identity thieves get better at stealing medical records
The growing problem of medical identity theft
NY hospital worker charges with massive file theft
California expands health data breach rules

Identity thieves getting better at stealing patient data

Mon, 12 May 2008 06:59:57 -0400

Where they once focused on banking data and credit card statements, identity thieves have become increasingly focused on breaking into patient data systems, observers say. Medical records offer a rich trove of information for an identity thief, often including not only health insurance account numbers and billing addresses, but also dates of birth, Social Security numbers and even credit information. That's particularly the case with hospitals which, since they offer costly services, may do more credit research on a patient.

Security industry researchers note that many hospitals haven't taken adequate steps to prevent malicious clinical data breaches, perhaps unaware that in addition to posing great risk to patients, each intrusion can cost $200 per record and $6.3 million per incident. Instead, many hospital IT departments are focused more on implementing or supporting EMR rollouts, according to a survey announced at HiMSS '08.

To learn more about medical record theft:
- read this USA Today article

Related Articles:
The growing problem of medical identity theft
NY hospital worker charged with massive file theft
California expands health data breach rules
U.S. hospitals have security 'blind spot'

UCLA staff accused of viewing Britney Spears' records

Mon, 24 Mar 2008 07:59:56 -0400

In what is unfortunately an all-too-predictable episode, UCLA Medical Center executives have said that they're investigating 13 staff members who seem to have accessed Britney Spears' medical records without authorization. The staff members are accused of viewing her non-medical records during her psychiatric stay in January. The Los Angeles Times reported that none of the staff members involved in the incident were physicians, but that they would be fired and that 12 others--including some doctors--would be disciplined. This incident follows on another, taking place in mid-2007, when two dozen employees at a New Jersey hospital were suspended without pay after viewing the medical records of actor George Clooney without authorization.

To learn more about the episode:
- read this article from Healthcare IT News

Related Articles:
Union fights suspensions for workers viewing star's records. Report
California expands health data breach rules. Report
Johns Hopkins investigates data breach. Report
Massive data loss at HCA. Article
Allina suffers patient data theft. Report
VA pledges better data security. Report