So not long after the mess with Kaiser and the Gadfly appears to be heading to a court solution, there are two more weird breaches of patient confidentiality both demonstrating that it’s not technology but the physical security of data and the dealings of employees that are the riskiest part of keeping confidential medical information confidential.
The first story is really strange. Apparently a contractor working for Kaiser had some patient data, and tried to recycle carbon paper for their fax machine at a local copy store. But instead of being recycled, somehow it ended up in the paper supply and was sold to another customer who discovered that instead of being blank, their fax paper had patient data from Kaiser and a Reno ambulance firm. In the end the customer returned it to the copy shop and no harm appears to have been done. (The full story is the second story here) But then again it just shows that this stuff can get out in ways that are hard to imagine, and perhaps every person handling patient date needs to buy a shredder. I know that I carried around patient date from my 1992 graduate thesis work and only got around to shredding it a few years later!
The other incident is more sinister, and again it appears that the health care organization, in this case San Jose Medical Group, did nothing wrong. However, someone broke into their facility and stole three laptop computers which had patient information and social security numbers on them. They don’t know if these computers were stolen as a target for identity theft, although they have written to all the affected patients asking them to check with their credit bureaus, or whether this was done just to steal the computers. But all the same, my source is one angry patient, and I don’t know whether or not this was a HIPAA violation. Here’s the police report.
All in all a reminder to health care organizations that electronic security is not enough. Incidentally if you steal my laptop you have to know two passwords to make it start-up and then work for you, and a third to get into my password storing application Roboform. I suggest anyone reading this who uses a laptop makes sure they are using the root password function that is available by hitting F8 (or a similar key) before Windows starts, and setting a system password required on start-up.
UPDATE: The SJ Merc has more info about this in a story today. While San Jose Medical Group officials seem to believe someone from the outside stole the computers because they were new, the police report doesn’t seem to mention a forced entry. And there’s no word on whether the data was secured with a password, although it appears not to have been encrypted. It does seem that given that a laptop by definition can be mobile (and therefore easily lost), sensitive data should either be encrypted or somehow electronically secured within it.