(re) blog: dialogue with Redemtech

According to the non-profit Identity Theft Resource Center (ITRC), data breaches are occurring at healthcare organizations at a much higher rate than in any other industry, a trend that reflects both the vast amount of personal data housed and the lax security employed by hospitals and other medical organizations. According to ITRC, 113 of 385 U.S. companies and organizations that endured a large data breach in the first half of 2010 were healthcare providers. That’s a pretty significant ailment.

I’ve noticed in just the past couple of weeks there have been enough victims of various healthcare-related data breaches to fill a medical ship, ranging from lost computer files containing personal information for about 800,000 people at South Shore Hospital near Boston to a missing computer hard drive with confidential data about 105,000 Colorado households receiving benefits from a state Medicaid and Children’s Health Insurance Program.

Here are a few of the most recent breaches reported, although some of them took place as long ago as last year and just surfaced lately.

• South Shore Hospital officials said the missing computer files may have included names, addresses, phone numbers, birth dates, Social Security numbers, drivers’ license numbers, patient and medical record numbers, health plan information, service dates, diagnoses, treatments and other personal information for about 800,000 people dating to 1996. The computer files reportedly were lost when they were shipped to a contractor to be destroyed. Another article said this breach spotlights the growing danger of medical identity theft, noting that a person’s medical records can be worth thousands of dollars to a crime ring.

• The missing computer hard drive incident regarding confidential information about 105,000 households receiving Medicaid and Children’s Health Insurance Program benefits in Colorado was downplayed by state officials, who said letters about the breach were mailed to clients, as if that’s all it takes to handle a serious data breach. Personal healthcare information on the hard drive included client names, programs and state ID numbers.

• A data breach affecting 38,000 patients, students and families associated with Montefiore Medical Center in New York resulted from the theft of five computers from the healthcare provider’s Finance Department and School Health Program in May, according to Databreaches.net. Two of the stolen desktop computers contained the names and medical records of 16,000 patients, along with Social Security numbers, birth dates, insurance information and hospital admission dates for some. Three desktop computers stolen from the School Health Program included students' names, birth dates, medical record numbers and parent or guardian contact numbers, affecting another 22,000 people.

• An unencrypted laptop computer containing personal information on about 21,000 patients was stolen from Thomas Jefferson University Hospitals in Philadelphia, Pa. A hospital employee reported that the laptop, which contained health information in violation of hospital policy, was stolen from an office in June, the organization said in late July. The stolen information concerned patients treated during 2008 and included names, Social Security numbers, birth dates, gender, ethnicity, diagnoses, insurance information, hospital account numbers and other administrative coding.  Another article about the breach noted that the U.S. Department of Health and Human Services has increased penalties for violations of patient privacy, including fines of up to $50,000 per violation and up to $1.5 million a year.

• St. Luke's Health System in Idaho notified thousands of employees that Mercer, a contracted human resources firm, lost a server back-up tape holding sensitive information. Data on the tape included names, addresses, birth dates and Social Security numbers. Mercer reportedly realized the tape was missing in April, but did not notify the hospital until late June.

On a smaller scale, there have been quite a few additional healthcare-related data breaches. While they may impact fewer lives, they still carry the full weight of potential disaster that no doubt will have long-term repercussions on reputation and financial stability.

• Confidential health information of about 1,600 patients of Texas Children's Hospital is at risk after a doctor's laptop computer containing clinical and demographic information was stolen more than two months ago, it was announced last week. The health information involved names, birth dates, diagnoses and service dates of affected children, who were cardiology patients of a Baylor College of Medicine doctor who practices at Texas Children's Hospital.

• Personal information, including names, birth dates, physician names and neurophysiological test data for 1,101 patients, was on a computer reported stolen from the Center for Neurosciences in Tucson, Ariz., last year. The data breach was only made public last week. The computer, used to perform electrical tests on muscles and nerves, contained data for patients who had been treated by the center in 2009.

• A thumb drive that contained personal data about current and past graduate medical education residents and fellows at Cooper University Hospital in Camden, N.J., reportedly was stolen or lost in early July. The hospital would not divulge additional information, including the number of people impacted by the data breach, but additional sources said the drive included Social Security numbers, addresses and phone numbers.

• A computer back-up tape containing personal information about 1,000 current and former St. Alphonsus Regional Medical Center employees in Boise, Idaho, was reported missing by the healthcare provider’s parent company, Trinity Health. The tape was created and lost in transit in March by Mercer, made famous by the St. Luke's Health System breach mentioned above. Personal information on the lost tape includes names, addresses, birth dates and Social Security numbers.

• The University Health Network (UHN) in Ontario admitted that medical information for 763 patients who had undergone surgery at Toronto General, Toronto Western and Princess Margaret hospitals earlier this year had been compromised by the theft of an unencrypted USB key. Data on the memory stick included patients' names, admission and discharge dates and surgical procedures they underwent.

It obviously hurts the healthcare industry to have a data security breach, but the prescription to remedy the problem is fairly simple. When contemplating all of the careless ways there are to lose customer and client data, follow the advice of the old vaudeville doctor: “Stop doing that.”