Tuesday, May 13, 2008

Ah, Sweet Mystery

Is your data secure? How do you know?

Here is yet another example of data exposed by carelessness and a simple error, and not noticed or reported for quite a long time.

From the San Francisco Chronicle:


Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.


Over 6000 patients' information exposed on the internet for over 3 months! The sad and sorry part is not that the persons effected weren't then notified when it was caught--- that part is simply crummy behavior, and as heinous as that is is out of our scope. The real issue is that learning that you are exposed is often times way too late. In this case it was a careless data-mining company, which should have been under a Business Associate's agreement under the HIPAA rules, and been monitored by the Hospital's compliance officer.

Doing a vanity search on Google and finding your own medical records must be quite a shock. Imagine having one of your customers find something like that... something like, say last year's quarterlies conveniently displayed for the world to peruse.

So is there a bullet-proof way of making certain that your stuff stays secure? Not really but there are a number of ways you can protect yourself. For big companies the options are legion, but for smaller companies one of the best is to consolidate your data so that access is generally made through a single source. Online hosting ensures that professional and vigilent care is taken of your data. Like the common cold, there is no cure for idiocy, but knowing that your information is in the hands of people who make it thier business to keep it safe, secure, and accessable to only the right people is priceless.

3 comments:

Onehealthpro said...

Perfection cannot be achieved, but checks and balances in work performance systems would prevent many of the infractions we are reading about in the newspaper.
Onehealthpro

michael said...

You are correct there. I see a lot of systems set up for security and then ognored, not in the performance but in any sort of "meta" sense. Poor or no auditing, complacency, or no oversight.
For a lot of organizations it seems they must be burned in order to get their attention.

Amarjeet Prasad said...

Thanks for writing this.I really feel as though I know so much more about this than I did before.Your blog really brought some things to light that I never would have thought about before reading it.

HIPAA Training
HIPAA Certification