According to surveys, an average of 150 people "from nursing
staff to x-ray technicians, to billing clerks" have access to a patient's
medical records during the course of a typical hospital visit. In the office of
an individual health care practitioner or small group practice virtually
everyone has access to a patient's protected health information. While many of
these individuals have a legitimate need to see all or part of a patient's
records, until HIPAA no laws govern who those people are or what information
they are able to see.
Failure to provide adequate protection can result
in serious breaches of privacy with grave consequences as evidenced by these
casualty reports.
- A jury awarded close
to $2.3 million February 5 to three women whose mental health treatment records
were not kept private by West Virginia University Medical Corporation,
according to the Associated Press (AP). The three women involved in the
negligence case were identified in Monongalia Circuit Court only by their
initials. The corporation, also known as University Health Associates, fired a
records clerk in July 1999 when one woman complained to the administrator of
the medical school's department of behavioral medicine that her records had
been wrongly disclosed. Jurors awarded $766,200 to one woman, $762,000 to
another, and $750,000 to the third. Circuit Judge Russell Clawges disallowed
punitive damages against the corporation, ruling that the women did not prove
that the clerk was "acting within the scope of his employment" in removing
their records, taking them home and to local bars, and discussing them with
people, reports the AP. The corporation's physicians are all members of the
faculty of the West Virginia University School of Medicine. (Feb.
2003)
- TriWest Healthcare
Alliance has been hit with a class-action lawsuit for negligence by customers
whose identity information was stolen last month in a heist of computer data
from the Phoenix-based defense contractor. The lawsuit was filed in the U.S.
District Court for Arizona by Tucson attorneys David Karnas and Gary Bellovin
on behalf of Lt. Col. Michael Stollenwerk and Andrea DeGatica, both of
Virginia. They seek unspecified monetary damages for alleged negligence, breach
of contract and violations of the federal Privacy Act. TriWest officials
declined to comment on the civil complaint Wednesday, saying they had not had
an opportunity to review the allegations. The company's offices were invaded
Dec. 14 by thieves who made off with laptop computers containing files on
562,000 military personnel, retirees and family members who have health care
through the company. The data included Social Security numbers, birth dates,
duty stations, medical records and other information that could be used by
identity thieves. The robbers targeted computer data and left more valuable
items behind. Despite a $100,000 reward offer by TriWest, and intense
investigations by the Defense Department, FBI and Phoenix police, no suspects
have been identified. Neither the company nor criminal investigators have been
willing to say whether the burgled office at Thunderbird Road and Interstate 17
had an alarm system, guards, video cameras or other security measures in place.
The stolen computers contained data on active military personnel who could be
called to fight in a war against Iraq. Some members of the armed forces have
fretted that enemies or terrorists might obtain information and use it against
American troops or their families. TriWest continues to emphasize that, to
date, no stolen data has been used for criminal purposes. But authorities have
divulged little about the theft, and even less about their investigation.
Steven Anthony, a spokesman for the Defense Department's Office of the
Inspector General, said investigators could not discuss the case. Robert Ellis
Smith, publisher of the Rhode Island-base newsletter Privacy Journal, said
litigation to protect privacy continues to accelerate, with large awards when
plaintiffs prevail. (The Arizona Republic, Jan. 30, 2003 )
- Seeking leads in the
gruesome killing of a newborn baby in May, the county attorney for Storm Lake,
Iowa subpoenaed the names of hundreds of women who had pregnancy tests at a
local Planned Parenthood clinic. On August 7, the Iowa Supreme Court granted
Planned Parenthood of Greater Iowa its motion for a temporary stay against the
subpoena issued by officials in Buena Vista County. County officials had until
August 19 to file a response to the appeal petition. The New York Times reports
the county attorney said the questions had to be asked. "I don't know how else
you deal with it and conduct an investigation," he said. Jill June, the
executive director for Planned Parenthood of Greater Iowa, calls the subpoena
"a horrible assault to a young woman's sense of privacy." (NY Times August 26,
2002)
- A temporary
employment agency worker is being blamed for scattering confidential medical
records of about 100 patients in downtown Allentown, PA, on August 7. The
employee took the files home from Easton Hospital on a Tuesday night to
organize them without permission. Wednesday morning, after getting into an
argument with the person driving her to work, she dropped the files when
exiting the car and was so upset she "just ran home." Most of the records were
recovered and returned to the hospital. Police agencies are still determining
what, if any, criminal charges will be filed. (Morning Call August 19,
2002)
- After purchasing
three computers for $10 each at a local thrift shop, an Indianapolis News
Investigation Team from WISH TV discovered patient records, social security
numbers, home addresses, home telephone numbers, and purchase card information.
Also found on the computer was the VA's own written policy about patient
privacy. When the News 8 I-Team went looking for used computers, they found
three in the very first thrift shop they walked into. Costing just $10 each,
the computers were full of credit card information and medical records,
including HIV diagnosis. The computers were full of other personal information,
including social security numbers, names and date of birth. Who forgot to erase
these records before selling the computers? The federal government.
Specifically, the Indianapolis Veterans Administration Medical Center. News 8
I-Team investigator Karen Hensel asked Dan Cavallini, of 20/20 Investigations
if the government agency should have known better. His answer, "yes,
unequivocably yes." Cavallini, a computer forensics expert and an Army veteran,
said that deleting the hard drive before dumping the computer is like basic
training. "This is basic. This is very basic. Government installations for
years have taken time now to wipe out all the information on the drives.
Obviously in this case we have everything here." The VA's own policy states
that computer hard drives should be wiped clean before sold at surplus auctions
like the one for the state. But these weren't. The News 8 I-Team's
investigation has the congressman demanding answers. "This is an embarassment
to the VA," said Buyer. "This is an embarassment to any medical facility, the
release of private information with regard to health was not safeguarded and
breached. That's bothersome." Representative Buyer sits on the House Committee
on Veteran's Affairs. He said the issue has now reached the President Bush's
cabinet. "I assure you the secretary is well aware of the breach." The
Secretary of Veterans' Affairs will investigate if this turns out to be a
nationwide problem. (May 16, 2002)
- A San Francisco man
who has pleaded guilty to hacking into the computers of a San Francisco
hospital could face a maximum penalty of one year in prison and a fine of
$100,000, plus restitution when he is sentenced on April 26, 2002. Michael
Logan, 34, pleaded guilty last month to sending 30,000 e-mails to employees and
associates of the hospital, which appeared to be from an employee of Catholic
Healthcare West (CHW) and contained insulting statements about employees,
reports the San Jose Business Journal. CHW owns 42 hospitals in Arizona, Nevada
and throughout California. It is the largest nonprofit health care provider in
California and the largest Catholic hospital system in the western United
States. (San Jose Business Journal, March 2002)
- Thieves allegedly
took patient information from Yale-New Haven (CT) Hospital, used the data to
fraudulently obtain credit cards, and bought thousands of dollars in
merchandise across the state, according to the Associated Press. Police charged
Robert Williams January 29 with using credit cards he obtained with information
stolen from the hospital. Williams told a police sergeant that he obtained the
information from an inside source at Yale-New Haven Hospital. Williams charged
more than $8,000 on the patient's credit card. The credit card scheme involved
a hospital employee identified as "Tracy," who stole patient information
including names, birth dates, and social security numbers, according to police.
The information was used to make fake driver's licenses and identification
cards in the names of hospital patients. The identifications were then used to
open the fraudulent credit card accounts at stores throughout Connecticut. The
employee had been fired from the hospital for violating its policy regarding
patient records and police have not determined her true identity. (February 20,
2002)
- University of
Minnesota researchers accidentally revealed the names of deceased organ donors
to 410 patients who received their kidneys. A glitch in a computer-generated
letter sent each year to recipients participating in a long-term study of 1,200
patients caused the confidentiality breach, reports the Minneapolis Star
Tribune. The error was discovered this month when a patient who received a
kidney from a dead donor called to ask whether a name on the letter was the
donor' s. It was the second time in three months that computer problems at the
university led to a privacy breach. The university and LifeSource, the company
that manages the organ donation system, are contacting recipients and relatives
of donors about the error to ask them not to contact the donor families. The
transplant patients are mostly from the Midwest, and donors were from across
the country, reports the Tribune. The university had to report the violation to
the National Institutes of Health, which is funding the study, and inform the
university' s internal review board. The names of the dead donors have now been
removed from the database. (The Minneapolis Star Tribune, February 4,
2002)
- An anonymous call
from a suburban hospital physician's assistant to the Montgomery County,
Maryland Police CrimeSolver's tip line about a psychiatric patient who talked
of killing and raping women could soon come under scrutiny in a Maryland
appeals court. The patient, Curtis Lee Ring, 39, of Germantown, was recently
convicted of attempted rape in two separate cases. Before he is sentenced on
the two convictions, Ring is scheduled to stand trial in April, 2002 in
connection with a third attack. In a pretrial ruling, Montgomery Circuit Judge
James C. Chapin rejected Ring's lawyer's argument that prosecutors should not
have been allowed to use much of the evidence because police learned about Ring
from a physician's assistant who helped admit him to Suburban Hospital. Ring's
lawyers plan to appeal. They argued that the phone call violated a Maryland law
protecting psychiatric patients' confidential medical records and the privacy
of their conversations with doctors or nurses. "At no time does the
[doctor/patient] privilege operate with more importance and more force than
when it protects the patient from unauthorized disclosures which may lead to
criminal prosecution," Ring's lawyers wrote. (The Washington Post, February 22,
2001)
- University of
Minnesota researchers accidentally revealed the names of deceased organ donors
to 410 patients who received their kidneys. A glitch in a computer-generated
letter sent each year to recipients participating in a long-term study of 1,200
patients caused the confidentiality breach, reports the Minneapolis Star
Tribune. The error was discovered this month when a patient who received a
kidney from a dead donor called to ask whether a name on the letter was the
donor' s. It was the second time in three months that computer problems at the
university led to a privacy breach. The university and LifeSource, the company
that manages the organ donation system, are contacting recipients and relatives
of donors about the error to ask them not to contact the donor families. The
transplant patients are mostly from the Midwest, and donors were from across
the country, reports the Tribune. The university had to report the violation to
the National Institutes of Health, which is funding the study, and inform the
university' s internal review board. The names of the dead donors have now been
removed from the database. (The Minneapolis Star Tribune, January,
2001)
- Thieves allegedly
took patient information from Yale-New Haven (CT) Hospital, used the data to
fraudulently obtain credit cards, and bought thousands of dollars in
merchandise across the state, according to the Associated Press. Police charged
Robert Williams January 29, 2002 with using credit cards he obtained with
information stolen from the hospital. Williams told a police sergeant that he
obtained the information from an inside source at Yale-New Haven Hospital.
Williams charged more than $8,000 on the patient's credit card. The credit card
scheme involved a hospital employee identified as "Tracy," who stole patient
information including names, birth dates, and social security numbers,
according to police. The information was used to make fake driver's licenses
and identification cards in the names of hospital patients. The identifications
were then used to open the fraudulent credit card accounts at stores throughout
Connecticut. The employee had been fired from the hospital for violating its
policy regarding patient records and police have not determined her true
identity. (Associated Press, January 29, 2001)
- An Alexandria
teenager allegedly intercepted telephone pages intended for doctors on a
surgical floor at Inova Fairfax Hospital, then called in and prescribed
medication and even ordered minor medical procedures for patients, according to
court papers and hospital officials. Hospital officials acknowledged that
nurses followed the 16-year-old's medical directions, but they said no patients
suffered because of it. They said the hospital has since added security
measures to the phone paging system. (The Washington Post, December 16, 2000)
Read The Full
Article
- A patient in a
Boston-area hospital discovered that her medical record had been read by more
than 200 of the hospital's employees. (The Boston Globe, August 1,
2000)
- A Utah-based
pharmaceutical benefits management firm used patient data to solicit business
for its owner, a drug store. (Kiplingers, February 2000)
- The health insurance
claims forms of thousands of patients blew out of a truck on its way to a
recycling center in East Hartford, Connecticut. (The Hartford Courant, May 14,
1999)
- A Michigan-based
health system accidentally posted the medical records of thousands of patients
on the Internet. (The Ann Arbor News, February 10, 1999)
- A 30-year FBI veteran
was put on administrative leave when, without his permission, his pharmacy
released information about his treatment for depression. (Los Angeles Times,
September 1, 1998)
- In 1993, the Boston
Globe reported that Johnson and Johnson marketed a list of 5 million names and
addresses of elderly incontinent women. (ACLU Legislative Update, April
1998)
- A few weeks after an
Orlando woman had her doctor perform some routine tests, she received a letter
from a drug company promoting a treatment for her high cholesterol. (Orlando
Sentinel, November 30, 1997)
- A Nevada woman who
purchased a used computer discovered that the computer still contained the
prescription records of the customers of the pharmacy that had previously owned
the computer. The pharmacy data base included names, addresses, social security
numbers, and a list of all the medicines the customers had purchased. (The New
York Times, April 4, 1997 and April 12, 1997)
- An employee of the
Tampa, Florida, health department took a computer disk containing the names of
4,000 people who had tested positive for HIV, the virus that causes AIDS. (USA
Today, October 10, 1996)
- A banker who also sat
on a county health board gained access to patients' records and identified
several people with cancer and called in their mortgages. (National Law
Journal, May 30, 1994)
- A speculator bid
$4000 for the patient records of a family practice in South Carolina. Among the
businessman's uses of the purchased records was selling them back to the former
patients. (New York Times, August 14, 1991)
- A physician was
diagnosed with AIDS at the hospital in which he practiced medicine. His
surgical privileges were suspended. (Estate of Behringer v. Medical Center at
Princeton, 249 N.J. Super. 597)
- A candidate for
Congress nearly saw her campaign derailed when newspapers published the fact
that she had sought psychiatric treatment after a suicide attempt. (New York
Times, October 10, 1990, Section 1, page 25)
- Consumer Reports
found that 40 percent of insurers disclose personal health information to
lenders, employers, or marketers without customer permission. ("Who's reading
your Medical Records," Consumer Reports, October 1994, at 628, paraphrasing
Sweeny, Latanya, "Weaving Technology and Policy Together to Maintain
Confidentiality," The Journal Of Law Medicine and Ethics (Summer & Fall
1997) Vol. 25, Numbers 2,3)
|
|
