2011 Closes on a Note of Electronic Medical Record Privacy Breach Shame

At my Oct. 2011 post "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure" and others in this query link on medical record privacy, http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy I wrote:

"Don't worry, your medical data's safe."

Joseph Conn of ModernHealthcare.com apparently disagrees (with my sarcasm, that is) and states the obvious outright. I post his story with few comments and several emphases which are mine:

Year closes on a note of breach shame
Modern Healthcare
Dec. 2012

Three-eighty. Three-eighty. Do I hear four hundred?

With 2011 winding down, there are now 380 major data breaches involving 500 or more patients' records listed on the "wall of shame" website kept by HHS' Office for Civil Rights.

So far, from the first wall postings in September 2009 through the latest on Dec. 8 this year, there have been 18,059,831 "individuals affected," and even that massive number is an undercount of the breach problem.

First, the civil rights office hasn't yet released the records of tens of thousands of breaches it has received under a federal reporting mandate on breaches affecting fewer than 500 patients per incident. I've been asking for electronic copies of those records since June. I hope to hear soon on an appeal of a decision last fall by HHS, claiming that the civil rights office can hide those reports while it "investigates" an estimated 30,000 or more breaches they describe.

Second, even the OCR's posted numbers are low.

A Nov. 4 public notice on a breach reported by the UCLA Health System states that "some personal information on 16,288 patients" was stolen, but the wall of shame lists the "individuals affected" in the UCLA incident as 2,761.

UCLA spokeswoman Dale Tate said in an e-mail that the nearly six-times-larger number in its notice "represents the number of individuals who had some information on the hard drive," while the 2,761 figure sent to the OCR "represents the number of people that met the specific criteria" under the federal breach notification rule.

Under the federal rule, Tate says, "the information for these individuals could possibly cause more than a minimal amount of financial, reputational or other harm." Information on the rest of the individuals, Tate said, did not meet the criteria.

Not to get too harpy, but this breach stuff is long past being ridiculous.

The lawyers are already all over it, and maybe that's what it will take for the industry to finally start addressing the problem. Brian Kabateck, a California lawyer, thinks so.

In the past three months, his Los Angeles law firm has filed a pair class-action breach suits against two of the most highly regarded healthcare systems in the state, University of California, Los Angeles and Stanford, as well as one of the latter's business associates, Multi-Specialty Collection Services.

"I think this is a short blip on the radar," Kabateck said. As the settlement costs pile up, he said, "I think big institutions are going to learnfive years from now, these lawsuits are going to be obsolete."

Class-action lawsuits are needed as much for health IT risk and safety issues causing near-misses, injuries and death as for security breaches, I note.

I think five years is highly overoptimistic as well on the breach issue, considering the degree of "institutional learning" that's occurred on how to do health IT "right" over the past ~ three decades, and considering that the breaches that are increasing, not decreasing, in intensity and severity across all industry sectors. That includes industry sectors far better equipped to manage IT security than hospitals.

Right now, though, Kabateck says, "This is not to the level of being an epidemic, but it's close."

I think it is epidemic.

Rather than being a miracle that will revolutionize medicine, health IT is like any other information and communication technology (ICT): it has unintended consequences (UC's) that can dilute or even negate its advantages. The issue of damaged medical record privacy, confidentiality and security is but one UC of health IT.

-- SS