So the Gadfly has really had an effect, and in some ways so has THCB. But I’m not sure it’s a good one. Yesterday for the breach of patient confidentiality that was fairly exhaustively documented on THCB and elsewhere, the California Department of Managed Healthcare (DMHC) fined Kaiser $200,000.
Just to remind you, some contractor left some database schemas of Kaiser’s Health Connect project on an open web site some time between 2002 and 2004. Somewhere in those charts, which I looked at (not knowing what was in them) were patient records for 150 real live patients (although I never saw one and the Gadfly said that she only ever saw three and never knew they were real). The Gadfly linked to the site from her website, and after she wrote to me, I put it in a story here last August. Within a few days, that website had been taken down, and I assumed that that was that.
But apparently not. The Gadfly, who was involved in a nasty if unrelated dispute about her firing, had mirrored and copied the site to prove (at least to her satisfaction) that Kaiser was doing something wrong. Kaiser apparently is being fined for not reporting its breach of confidentiality. "DMHC officials were concerned that Kaiser allowed the site to languish on the Web in an accessible format and did not act to remove it until its existence was brought to the attention of federal civil rights authorities in January 2005. In addition, Kaiser authorities chose not to inform state regulators until after the site had been reported to the media in March. However, Kaiser has since informed all of the approximately 150 members who may have been affected." So playing out the time-line, Kaiser knew (we can assume) in August 2004, started going after the Gadfly in March 2005 when the story broke in the SJ Mercury News, but apparently had been told by the Civil Rights Commission in January that there its data had been (or still was) online, but didn’t inform the DMHC until March.
However, given that they had taken down the offending site the previous August, really Kaiser is being punished for not informing DMHC when it knew, rather than keeping it quiet and pretending (or at least insinuating pretty heavily) that it was the Gadfly who’d allowed public access to the site. But then again the Gadfly was allowing access to the data from August 2004 until March 2005, although it was a mirror of the site that had been up for over two years.
In some ways there is some karmic justice to all this. Kaiser didn’t treat the Gadfly at all well as an employee. She went after them rather too aggressively, even if she didn’t know that she was showing real patient data. Kaiser in turn responded in a more than proportionally aggressive response, and never tried to work it out with the Gadly to see if some reasonable accomodation to her problems could be reached. And they failed to do the CYA necessary to stop themselves getting in trouble with DMHC. But if $200,000 is a fair fine, then it’s more than $1200 per person, and probably more than a few thousand dollars per actual viewing by anyone on the web. So to my mind that’s a more than proportional punishment. And I’m not sure that it’s not just DMHC grandstanding–I mean I know it was against the law, and Kaiser was slow, but I can’t see that that much harm was done to any of those patients.
Now Kaiser is a very wealthy organization and had a very good year last year ($481m profit in Q1 2005 alone), so $200,000 is not exactly that much to it. But on the other hand, it’s real money that could be used to provide health care to many needy people, and I suspect that had just a little been spent on better health insurance for the Gadfly, all of this could have been avoided. Of course the DMHC can now try to go after the Gadfly, but it appears that HIPAA privacy requirements do not apply to individuals.
So the lesson for health care organizations is mind your data and mind your employees, and treat both with common sense.