HEALTH PLANS/PHYSICIANS: More patient confidentiality probs at SF Bay area institutions, with UPDATE

So not long after the mess with Kaiser and the Gadfly appears to be heading to a court solution, there are two more weird breaches of patient confidentiality both demonstrating that it’s not technology but the physical security of data and the dealings of employees that are the riskiest part of keeping confidential medical information confidential. 

The first story is really strange.  Apparently a contractor working for Kaiser had some patient data, and tried to recycle carbon paper for their fax machine at a local copy store. But instead of being recycled, somehow it ended up in the paper supply and was sold to another customer who  discovered that instead of being blank, their fax paper had patient data from Kaiser and a Reno ambulance firm. In the end the customer returned it to the copy shop and no harm appears to have been done. (The full story is the second story here) But then again it just shows that this stuff can get out in ways that are hard to imagine, and perhaps every person handling patient date needs to buy a shredder.  I know that I carried around patient date from my 1992 graduate thesis work and only got around to shredding it a few years later!

The other incident is more sinister, and again it appears that the health care organization, in this case San Jose Medical Group, did nothing wrong. However, someone broke into their facility and stole three laptop computers which had patient information and social security numbers on them.  They don’t know if these computers were stolen as a target for identity theft, although they have written to all the affected patients asking them to check with their credit bureaus, or whether this was done just to steal the computers.  But all the same, my source is one angry patient, and I don’t know whether or not this was a HIPAA violation.  Here’s the police report.

All in all a reminder to health care organizations that electronic security is not enough.  Incidentally if you steal my laptop you have to know two passwords to make it start-up and then work for you, and a third to get into my password storing application Roboform.  I suggest anyone reading this who uses a laptop makes sure they are using the root password function that is available by hitting F8 (or a similar key) before Windows starts, and setting a system password required on start-up.

UPDATE: The SJ Merc has more info about this in a story today. While San Jose Medical Group officials seem to believe someone from the outside stole the computers because they were new, the police report doesn’t seem to mention a forced entry. And there’s no word on whether the data was secured with a password, although it appears not to have been encrypted. It does seem that given that a laptop by definition can be mobile (and therefore easily lost), sensitive data should either be encrypted or somehow electronically secured within it.

Livongo’s Post Ad Banner 728*90

Categories: Physicians

Tagged as: , ,

Leave a Reply

4 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
4 Comment authors
DanaAnonRob Merrillgadfly Recent comment authors
newest oldest most voted

I am a patient and went to see a GP MD for a rash. At any rate, I don’t have insurance but was assured that I could pay for my exam out of pocket, which was fine with me. I got my rash taken care of and also asked her for some medication for extreme back spasms I was having at night – to which she obviouslly tersely agreed to furnish a prescription for flexiril. By the way, prior to her examining me, I asked her about my rights in terms of confidetiality about me medical records to which she… Read more »


Was reading the piece from the link about the security breach out in California, and it just makes you cringe to think about how much of the work in this industry gets farmed out to remote places like India, or if within the USA, to those for-profit billing and claims-handling firms that do the work as an extended business office for hospital clients. There’s one company in Illinois where the hiring people hire their personal bar-hopping buddies that they hang out with after work and on weekends (or go over to the local Hooters restaurant for lunch while during working… Read more »

Rob Merrill

Thanks for the comments about RoboForm and how you use it.


I doubt the courts are going to provide any sort of solution for me since I still don’t have legal representation. I was just rejected by the ACLU, and this amazes me because there are broad civil rights ramifications . The Dept. of Managed Health Care has just allocated itself a new power to discipline private citizens. The DMHC showed no qualms about issuing a press release and offering the press quotes to influence public opinion on a matter it had not properly investigated. When the DMHC provided the illusion of corrobation for Kaiser spokesman, my chances of getting legal… Read more »