HIPAA Casualty Reports

According to surveys, an average of 150 people “from nursing staff to x-ray technicians, to billing clerks” have access to a patient’s medical records during the course of a typical hospital visit. In the office of an individual health care practitioner or small group practice virtually everyone has access to a patient’s protected health information. While many of these individuals have a legitimate need to see all or part of a patient’s records, until HIPAA no laws govern who those people are or what information they are able to see.

Failure to provide adequate protection can result in serious breaches of privacy with grave consequences as evidenced by these casualty reports.

A jury awarded close to $2.3 million February 5 to three women whose mental health treatment records were not kept private by West Virginia University Medical Corporation, according to the Associated Press (AP). The three women involved in the negligence case were identified in Monongalia Circuit Court only by their initials. The corporation, also known as University Health Associates, fired a records clerk in July 1999 when one woman complained to the administrator of the medical school’s department of behavioral medicine that her records had been wrongly disclosed. Jurors awarded $766,200 to one woman, $762,000 to another, and $750,000 to the third. Circuit Judge Russell Clawges disallowed punitive damages against the corporation, ruling that the women did not prove that the clerk was “acting within the scope of his employment” in removing their records, taking them home and to local bars, and discussing them with people, reports the AP. The corporation’s physicians are all members of the faculty of the West Virginia University School of Medicine. (Feb. 2003)
TriWest Healthcare Alliance has been hit with a class-action lawsuit for negligence by customers whose identity information was stolen last month in a heist of computer data from the Phoenix-based defense contractor. The lawsuit was filed in the U.S. District Court for Arizona by Tucson attorneys David Karnas and Gary Bellovin on behalf of Lt. Col. Michael Stollenwerk and Andrea DeGatica, both of Virginia. They seek unspecified monetary damages for alleged negligence, breach of contract and violations of the federal Privacy Act. TriWest officials declined to comment on the civil complaint Wednesday, saying they had not had an opportunity to review the allegations. The company’s offices were invaded Dec. 14 by thieves who made off with laptop computers containing files on 562,000 military personnel, retirees and family members who have health care through the company. The data included Social Security numbers, birth dates, duty stations, medical records and other information that could be used by identity thieves. The robbers targeted computer data and left more valuable items behind. Despite a $100,000 reward offer by TriWest, and intense investigations by the Defense Department, FBI and Phoenix police, no suspects have been identified. Neither the company nor criminal investigators have been willing to say whether the burgled office at Thunderbird Road and Interstate 17 had an alarm system, guards, video cameras or other security measures in place. The stolen computers contained data on active military personnel who could be called to fight in a war against Iraq. Some members of the armed forces have fretted that enemies or terrorists might obtain information and use it against American troops or their families. TriWest continues to emphasize that, to date, no stolen data has been used for criminal purposes. But authorities have divulged little about the theft, and even less about their investigation. Steven Anthony, a spokesman for the Defense Department’s Office of the Inspector General, said investigators could not discuss the case. Robert Ellis Smith, publisher of the Rhode Island-base newsletter Privacy Journal, said litigation to protect privacy continues to accelerate, with large awards when plaintiffs prevail. (The Arizona Republic, Jan. 30, 2003 )
Seeking leads in the gruesome killing of a newborn baby in May, the county attorney for Storm Lake, Iowa subpoenaed the names of hundreds of women who had pregnancy tests at a local Planned Parenthood clinic. On August 7, the Iowa Supreme Court granted Planned Parenthood of Greater Iowa its motion for a temporary stay against the subpoena issued by officials in Buena Vista County. County officials had until August 19 to file a response to the appeal petition. The New York Times reports the county attorney said the questions had to be asked. “I don’t know how else you deal with it and conduct an investigation,” he said. Jill June, the executive director for Planned Parenthood of Greater Iowa, calls the subpoena “a horrible assault to a young woman’s sense of privacy.” (NY Times August 26, 2002)
A temporary employment agency worker is being blamed for scattering confidential medical records of about 100 patients in downtown Allentown, PA, on August 7. The employee took the files home from Easton Hospital on a Tuesday night to organize them without permission. Wednesday morning, after getting into an argument with the person driving her to work, she dropped the files when exiting the car and was so upset she “just ran home.” Most of the records were recovered and returned to the hospital. Police agencies are still determining what, if any, criminal charges will be filed. (Morning Call August 19, 2002)
After purchasing three computers for $10 each at a local thrift shop, an Indianapolis News Investigation Team from WISH TV discovered patient records, social security numbers, home addresses, home telephone numbers, and purchase card information. Also found on the computer was the VA’s own written policy about patient privacy. When the News 8 I-Team went looking for used computers, they found three in the very first thrift shop they walked into. Costing just $10 each, the computers were full of credit card information and medical records, including HIV diagnosis. The computers were full of other personal information, including social security numbers, names and date of birth. Who forgot to erase these records before selling the computers? The federal government. Specifically, the Indianapolis Veterans Administration Medical Center. News 8 I-Team investigator Karen Hensel asked Dan Cavallini, of 20/20 Investigations if the government agency should have known better. His answer, “yes, unequivocably yes.” Cavallini, a computer forensics expert and an Army veteran, said that deleting the hard drive before dumping the computer is like basic training. “This is basic. This is very basic. Government installations for years have taken time now to wipe out all the information on the drives. Obviously in this case we have everything here.” The VA’s own policy states that computer hard drives should be wiped clean before sold at surplus auctions like the one for the state. But these weren’t. The News 8 I-Team’s investigation has the congressman demanding answers. “This is an embarassment to the VA,” said Buyer. “This is an embarassment to any medical facility, the release of private information with regard to health was not safeguarded and breached. That’s bothersome.” Representative Buyer sits on the House Committee on Veteran’s Affairs. He said the issue has now reached the President Bush’s cabinet. “I assure you the secretary is well aware of the breach.” The Secretary of Veterans’ Affairs will investigate if this turns out to be a nationwide problem. (May 16, 2002)
A San Francisco man who has pleaded guilty to hacking into the computers of a San Francisco hospital could face a maximum penalty of one year in prison and a fine of $100,000, plus restitution when he is sentenced on April 26, 2002. Michael Logan, 34, pleaded guilty last month to sending 30,000 e-mails to employees and associates of the hospital, which appeared to be from an employee of Catholic Healthcare West (CHW) and contained insulting statements about employees, reports the San Jose Business Journal. CHW owns 42 hospitals in Arizona, Nevada and throughout California. It is the largest nonprofit health care provider in California and the largest Catholic hospital system in the western United States. (San Jose Business Journal, March 2002)
Thieves allegedly took patient information from Yale-New Haven (CT) Hospital, used the data to fraudulently obtain credit cards, and bought thousands of dollars in merchandise across the state, according to the Associated Press. Police charged Robert Williams January 29 with using credit cards he obtained with information stolen from the hospital. Williams told a police sergeant that he obtained the information from an inside source at Yale-New Haven Hospital. Williams charged more than $8,000 on the patient’s credit card. The credit card scheme involved a hospital employee identified as “Tracy,” who stole patient information including names, birth dates, and social security numbers, according to police. The information was used to make fake driver’s licenses and identification cards in the names of hospital patients. The identifications were then used to open the fraudulent credit card accounts at stores throughout Connecticut. The employee had been fired from the hospital for violating its policy regarding patient records and police have not determined her true identity. (February 20, 2002)
University of Minnesota researchers accidentally revealed the names of deceased organ donors to 410 patients who received their kidneys. A glitch in a computer-generated letter sent each year to recipients participating in a long-term study of 1,200 patients caused the confidentiality breach, reports the Minneapolis Star Tribune. The error was discovered this month when a patient who received a kidney from a dead donor called to ask whether a name on the letter was the donor’ s. It was the second time in three months that computer problems at the university led to a privacy breach. The university and LifeSource, the company that manages the organ donation system, are contacting recipients and relatives of donors about the error to ask them not to contact the donor families. The transplant patients are mostly from the Midwest, and donors were from across the country, reports the Tribune. The university had to report the violation to the National Institutes of Health, which is funding the study, and inform the university’ s internal review board. The names of the dead donors have now been removed from the database. (The Minneapolis Star Tribune, February 4, 2002)
An anonymous call from a suburban hospital physician’s assistant to the Montgomery County, Maryland Police CrimeSolver’s tip line about a psychiatric patient who talked of killing and raping women could soon come under scrutiny in a Maryland appeals court. The patient, Curtis Lee Ring, 39, of Germantown, was recently convicted of attempted rape in two separate cases. Before he is sentenced on the two convictions, Ring is scheduled to stand trial in April, 2002 in connection with a third attack. In a pretrial ruling, Montgomery Circuit Judge James C. Chapin rejected Ring’s lawyer’s argument that prosecutors should not have been allowed to use much of the evidence because police learned about Ring from a physician’s assistant who helped admit him to Suburban Hospital. Ring’s lawyers plan to appeal. They argued that the phone call violated a Maryland law protecting psychiatric patients’ confidential medical records and the privacy of their conversations with doctors or nurses. “At no time does the [doctor/patient] privilege operate with more importance and more force than when it protects the patient from unauthorized disclosures which may lead to criminal prosecution,” Ring’s lawyers wrote. (The Washington Post, February 22, 2001)
University of Minnesota researchers accidentally revealed the names of deceased organ donors to 410 patients who received their kidneys. A glitch in a computer-generated letter sent each year to recipients participating in a long-term study of 1,200 patients caused the confidentiality breach, reports the Minneapolis Star Tribune. The error was discovered this month when a patient who received a kidney from a dead donor called to ask whether a name on the letter was the donor’ s. It was the second time in three months that computer problems at the university led to a privacy breach. The university and LifeSource, the company that manages the organ donation system, are contacting recipients and relatives of donors about the error to ask them not to contact the donor families. The transplant patients are mostly from the Midwest, and donors were from across the country, reports the Tribune. The university had to report the violation to the National Institutes of Health, which is funding the study, and inform the university’ s internal review board. The names of the dead donors have now been removed from the database. (The Minneapolis Star Tribune, January, 2001)
Thieves allegedly took patient information from Yale-New Haven (CT) Hospital, used the data to fraudulently obtain credit cards, and bought thousands of dollars in merchandise across the state, according to the Associated Press. Police charged Robert Williams January 29, 2002 with using credit cards he obtained with information stolen from the hospital. Williams told a police sergeant that he obtained the information from an inside source at Yale-New Haven Hospital. Williams charged more than $8,000 on the patient’s credit card. The credit card scheme involved a hospital employee identified as “Tracy,” who stole patient information including names, birth dates, and social security numbers, according to police. The information was used to make fake driver’s licenses and identification cards in the names of hospital patients. The identifications were then used to open the fraudulent credit card accounts at stores throughout Connecticut. The employee had been fired from the hospital for violating its policy regarding patient records and police have not determined her true identity. (Associated Press, January 29, 2001)
An Alexandria teenager allegedly intercepted telephone pages intended for doctors on a surgical floor at Inova Fairfax Hospital, then called in and prescribed medication and even ordered minor medical procedures for patients, according to court papers and hospital officials. Hospital officials acknowledged that nurses followed the 16-year-old’s medical directions, but they said no patients suffered because of it. They said the hospital has since added security measures to the phone paging system. (The Washington Post, December 16, 2000)
A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital’s employees. (The Boston Globe, August 1, 2000)
A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store. (Kiplingers, February 2000)
The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut. (The Hartford Courant, May 14, 1999)
A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet. (The Ann Arbor News, February 10, 1999)
A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression. (Los Angeles Times, September 1, 1998)
In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998)
A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997)
A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997)
An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS. (USA Today, October 10, 1996)
A banker who also sat on a county health board gained access to patients’ records and identified several people with cancer and called in their mortgages. (National Law Journal, May 30, 1994)
A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman’s uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991)
A physician was diagnosed with AIDS at the hospital in which he practiced medicine. His surgical privileges were suspended. (Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 597)
A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. (New York Times, October 10, 1990, Section 1, page 25)
Consumer Reports found that 40 percent of insurers disclose personal health information to lenders, employers, or marketers without customer permission. (“Who’s reading your Medical Records,” Consumer Reports, October 1994, at 628, paraphrasing Sweeny, Latanya, “Weaving Technology and Policy Together to Maintain Confidentiality,” The Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25, Numbers 2,3)