HEALTH PLANS/PHYSICIANS: More patient confidentiality probs at SF Bay area institutions, with UPDATE

So not long after the mess with Kaiser and the Gadfly appears to be heading to a court solution, there are two more weird breaches of patient confidentiality both demonstrating that it’s not technology but the physical security of data and the dealings of employees that are the riskiest part of keeping confidential medical information confidential. 

The first story is really strange.  Apparently a contractor working for Kaiser had some patient data, and tried to recycle carbon paper for their fax machine at a local copy store. But instead of being recycled, somehow it ended up in the paper supply and was sold to another customer who  discovered that instead of being blank, their fax paper had patient data from Kaiser and a Reno ambulance firm. In the end the customer returned it to the copy shop and no harm appears to have been done. (The full story is the second story here) But then again it just shows that this stuff can get out in ways that are hard to imagine, and perhaps every person handling patient date needs to buy a shredder.  I know that I carried around patient date from my 1992 graduate thesis work and only got around to shredding it a few years later!

The other incident is more sinister, and again it appears that the health care organization, in this case San Jose Medical Group, did nothing wrong. However, someone broke into their facility and stole three laptop computers which had patient information and social security numbers on them.  They don’t know if these computers were stolen as a target for identity theft, although they have written to all the affected patients asking them to check with their credit bureaus, or whether this was done just to steal the computers.  But all the same, my source is one angry patient, and I don’t know whether or not this was a HIPAA violation.  Here’s the police report.

All in all a reminder to health care organizations that electronic security is not enough.  Incidentally if you steal my laptop you have to know two passwords to make it start-up and then work for you, and a third to get into my password storing application Roboform.  I suggest anyone reading this who uses a laptop makes sure they are using the root password function that is available by hitting F8 (or a similar key) before Windows starts, and setting a system password required on start-up.

UPDATE: The SJ Merc has more info about this in a story today. While San Jose Medical Group officials seem to believe someone from the outside stole the computers because they were new, the police report doesn’t seem to mention a forced entry. And there’s no word on whether the data was secured with a password, although it appears not to have been encrypted. It does seem that given that a laptop by definition can be mobile (and therefore easily lost), sensitive data should either be encrypted or somehow electronically secured within it.

Categories: Uncategorized

Tagged as: , ,

4 replies »

  1. I am a patient and went to see a GP MD for a rash. At any rate, I don’t have insurance but was assured that I could pay for my exam out of pocket, which was fine with me. I got my rash taken care of and also asked her for some medication for extreme back spasms I was having at night – to which she obviouslly tersely agreed to furnish a prescription for flexiril. By the way, prior to her examining me, I asked her about my rights in terms of confidetiality about me medical records to which she assured me that they were confidential unless I signed a release (I asked about this because I am sensitive about my privacy and do not want health insurance companies to have any access to my private records at all for when I apply for health insurance). Anyways, She left me in the exam room to get dressed. My friend was waiting for me in the reception area which was where her front desk was with her secretarial and office staff who made appointments for patients. At any rate, my friend realted that this Dr. come out to the front desk, straight from her examination of me, and said loudly enough for my friend to hear in the waiting area, to her staff, “She’s one of those, no insurance and wants everything. So I gave her enough flexiril to last a loong time” (said in a sarcastic tone according to my friend). My friend told what she heard as soon as I came out and we went outside on the sidewalk out of earshot to discuss this. After I heard what was said, I was too upset to confront the doctor because I felt humiliated and maligned in front of her staff and whoever was in the waiting area who was privy to this before I came out to the front desk to pay for the visit, unbeknownst to me what had transpired there a few minutes earlier; plus I was angry that she had violated my confidentiality by disclosing what medications she had prescribed, to her secretarial staff and within earshot of the entire waiting area. So my friend went back in, on my behalf, and confronted this Dr. who was still at the desk with her staff. According to my friend, the doctor was initailly defensive and tried to cover up for it but my friend insisted upon the veracity of her having just witnessed this accurately and that she (the MD) had said all of this in front of a number of onlooking staff members, quickly capitulated. My friend said that the Doc was absolutely mortified that she had been caught; completely embarrassed and changed her tact. The doctor, than admitted what she did was wrong and apologized to my friend about me – her apology an obvious admission of guilt; and frankly, I believe her apology was insincere because she seemed like such an ass***; not to mention, that I bet this is what MD’s are taught in Risk Minimization and Liability seminars, as a last resort, when the Doc is up against the wall and totally has nothing to say in their defense with the hope that an apology will placate the “dumb” patient so they won’t sue. Frankly, I was so angry about what she said, I did not care if she issued an apology, there was no excuse for her behavior and especially for violoating my confidentiality right after she and I had just discussed it and she had assured me my confidentiality was safe in her hands. I felt she was a spiteful, petty person who should not be practicing as an MD, if this is the attitude she takes toward her patients (especially those without insurance)and then feels so free to vocalize her spite to her staff and an entire waiting room. I have done nothing yet, but I want to report her to the Department of Justice (for HIPPA violations), and the California Medical Board as well, since she violated the CMIA too. On the other hand, I would settle with her if I feel properly renumerated in terms of the damage that she has done to me.
    My question is this; most of the people reading this site are doctors trying to counter against claims and complaints from patients or negotiate HIPPA in general. Let me ask you all this; how would you feel if you were me; would you sue and/or report her? What is your perspective, as an MD, on this particular scenario which just happened in November in a San Francisco private clinic? Quite honestly, as a pissed- off patient, I feel most inclined to sue her – so she will really feel it where it hurts; in her pocket book.

  2. Was reading the piece from the link about the security breach out in California, and it just makes you cringe to think about how much of the work in this industry gets farmed out to remote places like India, or if within the USA, to those for-profit billing and claims-handling firms that do the work as an extended business office for hospital clients.
    There’s one company in Illinois where the hiring people hire their personal bar-hopping buddies that they hang out with after work and on weekends (or go over to the local Hooters restaurant for lunch while during working hours), and the cronyism even runs down to the low-level supervisors as well. A unit supervisor was doing employee reviews WHILE hanging out at the local health club with other employees (she was telling other staffers in the department about how she was on a piece of exercise equipment and doing an annual employee review while there). But the employee she was at the health club with wasn’t even from our department! If she was taking personnel files or other management/supervisory-level files over to the local health club and discussing it with people, then what else was she discussing?
    I never once got the sense that data was truly secure in this place, mainly due to the level of unprofessionalism and lax standards when it came to their own employees. They seemed more concerned about HIPAA violations, but that’s because hospitals were always having their compliance officers call up to check on HIPAA compliance.
    But still, there were definitely internal issues when it came to confidentiality. I even heard managers and supervisors making fun of the medical conditions that patients had (while they were handling the UB92’s and HCFA’s). It was just appallingly unprofessional, and I have since quit that place, but if anyone reading this forum is in healthcare and works for a hospital, I beg of you to be careful who you use for outsourcing your claims and billing accounts to.
    When I tried to complain to upper management about the level of unprofessionalism, I was told to stop “bitching” about it. I mean, if that isn’t a sexist comment! But I wrote the Illinois Attorney General, Lisa Madigan, AFTER I had resigned, and she seemed very interested in any stories that employees within the business had to tell.
    There is a level of arrogance with some of the people in this clubby field, where if you dare question levels of unprofessionalism, they flat out say “Well, who are you?” or that you shouldn’t keep “bitching” about it.
    Fortunately, everyone from trial lawyers to the IRS to the GAO to the various state attorneys general are now “bitching” about it, and I hope it brings more concern about privacy and data security issues to the forefront.

  3. I doubt the courts are going to provide any sort of solution for me since I still don’t have legal representation. I was just rejected by the ACLU, and this amazes me because there are broad civil rights ramifications . The Dept. of Managed Health Care has just allocated itself a new power to discipline private citizens. The DMHC showed no qualms about issuing a press release and offering the press quotes to influence public opinion on a matter it had not properly investigated. When the DMHC provided the illusion of corrobation for Kaiser spokesman, my chances of getting legal representation or retractions for false statements in the press were greatly reduced, hence interfering with my ability to defend my civil rights. I have to travel to these Hearings and prepare evidence at my own expense – so I’m being compelled to perform actions and make expenditures against my will, on threat of mysterious DMHC sanctions and a certain new wave of Kaiser-corroborating publicity if the DMHC prevails – which it probably will just because the Judge will want to use me as an example to discourage Employees who are tempted to steal and misuse patient data, whether I actually did that or not.
    An attorney told me yesterday that even with the civil rights issues at stake, it’s unlikely that there’s any attorney out there that will even feel qualified to help me. My situation is a thorny mess that really calls for a team of attorney with distinct areas of expertise: cyberlaw, health care law, contract/employement law, whistleblower protection, etc. Protecting my rights would be an expensive endeavor, and the attorneys could only hope to be paid through a countersuit since I have no income or assets. Therefore, I’m just one of those
    “unlucky” people who really doesn’t have any civil rights because it wouldn’t be cost effective to protect them.
    Now try to envision the millions of people in this country who are even more “unlucky” than me, and you have to question why we even bother with the fiction that our society is based on the Constitution and equality under the law: what we have is an ever-shrinking uppercrust of people who meet the financial criteria to qualify for equality under the law.
    While I should probably be most concerned about the inequities of the legal system, I’m actually a lot more upset about the media. All the major media venues claim to be engaging in accurate reporting and some have formal correction/retraction policies. Yet I haven’t been able to get one retraction for factual errors. I mentioned the issue of NBC splicing my interview to just invent the story they wanted – I found out later that FOX just blindly repeated the NBC story. In the press, the highly respected SF Chronicle in particular has been riddled with errors. The reporter, Henry Lee, has even acknowledged some of them in private – but yet the Chronicle won’t act on it’s vaunted corrections policy. This weekend Kaiser’s well-crafted message is going to be pushed on an auditorium full of national HIPAA experts who are then going to contribute to shaping public opinion. Media watchdogs like FAIR have not bothered to reply to my inquiries.
    As a result of all this, I’m never going to believe anything I read or see on the news again. As far as I know, I’m surrounded by false information and deliberate fiction. There’s no way to find out what’s real. How can anyone make any sort of political or social decision under these circumstances?
    A number of people have said to me that I shouldn’t be concerned about public opinion. I think I should be concerned about this more than anything else. The media, potential attorneys, and probably politicians of various sorts are check out public opinion to see whether I’m a victim of an enemy of the public or whether I’m the public enemy. Public opinion pronounces on what I “should” have done with no knowledge of what I tried. Public opinion assumes I have access to resources that I don’t – such as attorneys who can pursue legal remedies or the support of foundations such as the Electronic Frontier Foundation or the ACLU. When I fail to access those resources or Kaiser (and their DMHC cronies) declare a token victory that they were able to *buy*, public opinion takes this to confirm that their initial impressions without noticing that it was this impression, based on a lot of false information, that helped cut off my access to those resources in the first place.
    What has been accomplished by all of this? My views on Kaiser haven’t changed, and if anything my commitment to digging up evidence of Kaiser corruption has been reinforced. I have confirmation that I’m not protected by the legal system and I’m questioning whether I even count as a citizen – and my own case is going to be used to advance the Police State against other private citizens in the case of the DMHC. I now know that the news doesn’t mean anything, and no one bothers to correct bad information. The general public has once more been treated to the politics of fear – and while they are fretting about a media-designed Rogue Patient-Data-Stealing employee, they will be distracted from asking how Kaiser let their data be posted on the Internet for a year in the first place or considering what it means for the public when whistleblower protections fail so spectacularly.
    I’m usually pretty sparing about doling out subjective value judgments, but this is stupid.