New way to get kids interested in medicine: post confidential medical records on a homework site?

Was this a new way to get kids interested in medical careers?

Or was it an accident due to the highest levels of negligence associated with lowest/cheapest standards in hiring for mission critical roles?

Patient Data Posted Online in Major Breach of Privacy
New York Times
Sept. 8, 2011
Kevin Sack

A medical privacy breach at Stanford University’s hospital in Palo Alto, Calif., led to the public posting of medical records for 20,000 emergency room patients, including names and diagnosis codes, on a commercial Web site for nearly a year, the hospital has confirmed.

Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called “Student of Fortune,” which allows students to solicit paid assistance with their school work. Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

To teach the kids to be medical bean counters at an early age, perhaps?

Even as government regulators strengthen oversight by requiring public reporting of breaches and imposing heavy fines, experts on medical security said the Stanford incident spotlights the persistent vulnerability posed by legions of outside contractors who gain access to private data.

In the Oct. 2009 post "Private medical records offered for sale" I wrote about how such data was for sale by onion-like layers contractors - cheap.

The spreadsheet contained names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birthdates, credit-card accounts or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.

(Partial) luck prevailed - this time.

The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took “aggressive steps,” [i.e., its CIO made a quick, panicky phone call - ed.] and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.

Perhaps "aggressive steps" should have been taken before private medical data was published on a kid's homework site?

“It is clearly disturbing when this information gets public,” he said. “It is our intent 100 percent of the time to keep this information confidential and private, and we work hard every day to ensure that.”

Would "Master of the Obvious" (a favorite line of my early medical mentor, cardiothoracic surgeon/polymath Dr. Victor P. Satinsky, be too kind a response to this statement?

Diane Dobson, of Santa Clara, Calif., said her “jaw dropped” on Saturday when she intercepted the letter from Ms. Meyer addressed to her 21-year-old son, who she said received emergency psychiatric treatment at Stanford in 2009. Ms. Dobson said it could have been disastrous if her son, who lives at home, had learned that his name was linked online to a diagnosis for psychosis.

“My son, I can tell you, is fragile and confused enough that this would have sent him over the edge,” Ms. Dobson said. “Everyone with an electronic medical record is at risk, and that means everyone.”

My sympathies go out to this mother and her son. Her concerns show that cavalier attitudes towards EMR's can lead to catastrophe beyond identity theft or career damage.

The incident at Stanford, while egregious in its details, is far from rare. Records compiled by the Department of Health and Human Services reveal that personal medical data for more than 11 million people has been improperly exposed during the last two years alone ... The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.

I'm certain there is an increasing amount of critical medical data being withheld by patients as publicity about these breaches become more well-known.

The breaches at Stanford reinforce that even the most prestigious medical centers are not immune to risk.

Massachusetts General Hospital in Boston, which trains Harvard medical students, agreed this year to pay a $1 million federal fine after an employee left paper medical records on a subway train while commuting to work. The pages contained the names of 192 patients, and diagnoses for about a third of them, including for H.I.V./AIDS. They were never recovered.

I note these are both pioneers in electronic health records. Imagine what might be happening at Podunk Hollow General Hospital...

Mr. Migdol said the hospital had concluded that “there is no employee from Stanford Hospital who has done anything impermissible.” He said he expected the federal Department of Health and Human Services to conduct its own investigation. Susan McAndrew, deputy director of health information privacy for the department’s Office of Civil Rights, said she could not discuss whether an investigation was in progress ... Bryan Cline, a vice president with the Health Information Trust Alliance, a nonprofit company that establishes privacy guidelines for health care providers, said that nearly 20 percent of breaches were perpetrated by outside contractors, accounting for more than half of all the records exposed.

When you start to outsource mission critical data, you should probably be prepared to take responsibility for whomever you outsource it to.

The vendor, identified by Mr. Migdol as Multi-Specialty Collection Services LLC, based in Los Angeles, could not be reached for comment. Mr. Migdol said the company created the spreadsheet as part of a billing-and-payment analysis for the hospital. He said the hospital immediately suspended its relationship with the contractor and received written certification that previous files would be destroyed or returned securely.

Apparently someone there with access to the spreadsheet was less than careful about keeping it away from children. One wonders if they would have been more careful with pornography...

“We’re still kind of caught in the pre-high-tech trust model instead of the insurance model,” Mr. Cline said. “Health care providers say, ‘I’m going to have some contract language and then just trust that you’ll protect my data because if you don’t I’m going to sue you.’ That just doesn’t work, as we can see. You have to do due diligence, something to assure yourself that the people you’re giving your data to can be trusted.”

I'd say we're still in the stone age with respect to our irrational exuberance about health IT. See my series of articles on these issues at these query links: computer security, medical record privacy, medical record confidentiality.

A fundamental set of rules in today's hire-on-the-cheap, keep-staffing-minimal environment is this:

1. If you want information to be kept secure, don't place it on a computer.
2. If you place the information on a computer, don't place the computer on a network.
3. If you place the computer on a network, the information is no longer secure.

In our current culture I do not believe these issues to be easily remediable, but hiring the truly best and brightest (after satisfactory scores in a very hard test in critical thinking skills) into IT roles - including design, implementation, and management - might be a start.

-- SS

Another Hospital Putting on the Ritz

The usual definition of a hospital is an institution which treats the sick and injured,.  That is a messy business, so some hospital executives seem to yearn to be doing something a little more - shall we say - upscale.  For example, the Chattanoogan reported:

Erlanger Health System will launch in October one of the most ambitious employee training initiatives in its 120-year history. All 4,500 employees will participate in a new service excellence program based on the legendary Ritz-Carlton service model.

'This is not a program. This is the beginning of long-term cultural transformation,' says Erlanger CEO James Brexler. 'Our board and leadership team believe this initiative is one of the most significant developments in the continued evolution of Erlanger.'

The Erlanger Health System strategic plan, adopted by the board of trustees last year, identified service excellence as a priority. Funding for the initiative was approved in this year’s operating budget. The corporate university of Ritz-Carlton was selected to help take Erlanger’s patient experiences to the next level.

A hospital, of course, provides services to patients. However, it seems glaringly obvious that the sort of services required by the sick and injured, especially the critically ill, are very different than those people who go to four-star hotels. Providing care to a patient on a ventilator (breathing machine), for example, hardly resembles providing spa services to a wealthy hotel guest.

Furthermore, Erlanger Health System is a public, non-profit health system with a mission that involves service to the poor:

To deliver excellence in medical care to improve the health status of our region, while providing vital services to those in need, and training to health professionals through affiliation with academic partners

The Boston hotel in the Ritz-Carlton chain, its flagship property, boasts that it:

features hotel rooms and suites in Boston designed as sanctuaries of urban luxury.

Where is the parallel to providing health care services to "those in need" who are acutely ill and injured?

By the way, a few days after the Erlanger, Ritz-Carlton connection was announced, the Time Free Press noted questions about how the contract was awarded:

Erlanger officials defended the no-bid procedure Monday, saying the hospital was correct in bypassing a competitive bid process and awarding a 'professional services' contract to Ritz-Carlton.

'Tennessee law says government entities do not have to bid professional services,' hospital spokeswoman Susan Sawyer said.

Even early in the process, Whisman said, 'it was so clearly the Ritz going forward.'

'There was a lot of board support, executive-level support and steering committee support,' she said. 'Ritz had it all.'

Furthermore, how well the money will be spent may be difficult to find out:

In October, a Ritz-Carlton speaker is expected to lead several four-hour sessions, each of which will hold 400 employees, hospital officials said.

The bill for those sessions is $288,000. On Thursday, Sawyer said Ritz-Carlton prohibited the media from attending the sessions because of proprietary information the hotel chain prefers to keep secret.

It is not that the hospital system has money to burn, as the Chattanoogan just revealed:

Erlanger Health System officials reported a $1.3 million loss for July,...

In addition,

Admissions were under budget by 1.6 percent for the month and ahead of the previous year by 3.8 percent.

So, in summary so far, a public hospital system that is currently experiencing budgetary challenges is spending hundreds of thousands of dollars for the Ritz-Carlton luxury hotel chain to train its employees in secret sessions about "service excellence," and the hospital system's management thinks this is a top priority.

In my humble opinion, this illustrates a larger problem with the leadership of health care. Health care organizations are often lead by ultra generic managers, that is, managers trained in such fields as marketing, public relations, and finance, but without any experience or training in actually taking care of patients. (The supremacy of generic management is strange given that patient care itself has become so specialized.) The utter lack of gut feeling for what health care is really about seems to lead to managers thinking that hospitals are like automobile assembly plants, or in this case, like luxury hotels. I cannot but help believe that such ultra generic managers, who do not appreciate the values of health care professionals, and do not understand the health care context, are going to make some very bad decisions, and are an important cause of health care dysfunction.

I cannot help believe that the Erlanger CEO, Mr James Brexler, (whose most advanced degree was a "Masters of Public Affairs from North Carolina State University") was entirely off base when he was quoted:

'This is not a flavor-of-the-month thing,' continues CEO Brexler. 'This is a strategic priority and business imperative. We are committed to this. We are excited about it. Our staff is excited. Our physicians are excited. The results, we believe, will be evident to our patients and their families.'

True health care reform would make sure health care leaders actually understand health care and uphold its values.

PS - Long ago, we noted the trustees of another hospital system who seemed to think that Ritz-Carlton experience was perfect background for hospital executives.