In a series about cyber compliance issues, the Wall Street Journal takes a look at how collecting enormous amounts of data, without securing the private or sensitive information, can lead to large problems when there are security breaches:

It’s well-known that many companies aren’t aware when they have had their security breached. Compounding that problem is the fact it is hard to determine what might have been lost, because many companies have accumulated data over years in multiple forms.

Ignorance about stored data can magnify the costs of notifying customers and the risk of regulatory or legal repercussions, according to various experts.

“Companies continue to allow the information haystack to grow and grow and grow,” said Bruce Radke, chair of the data privacy group at law firm Vedder Price. The first step in any company’s assessment of its data should be “really looking at the information you need and getting rid of everything else,” he said. [...] Read more »

The Toronto Sun reports on a medical data privacy issue in Ottawa:

OTTAWA — A group of patients whose personal information was lost is suing Montfort Hospital in Ottawa for $40 million.

The suit stems from a lost USB memory stick that contained information on 25,000 patients. The stick was lost in November 2012 before it was eventually recovered.

The memory stick contained patient names, a summary of services received, the date of service and a code representing the health care provider on the case. It also included information on 1,255 members of the Canadian Armed Forces.

The plaintiffs are accusing the Montfort of breach of contract, negligence, breach of privacy and violating its own bylaws and the Personal Health Information and Protection Act (PHIPA), [...]

The suit charges the hospital also failed to ensure the memory device was password protected and that the hospital “failed to disclose the loss of personal information “in a timely manner.”

Bloomberg News reports that hospitals are looking to biometric technology, including iris scans, as a defense against security breaches and medical identity theft:

Clinics and hospitals around the world are acquiring technology that identifies people based on physical traits to improve patient safety and stamp out fraud. HCA Holdings Inc. (HCA) hospitals in London, as well as health-care providers across the U.S., are buying so-called biometric technologies.

Biometrics makers, such as Safran SA (SAF), Fujitsu Ltd. (6702) and closely held AOptix Technologies Inc. and M2Sys Technology, say demand from health-care providers is growing. While ensuring the right person gets the right treatment is the main reason for buying biometrics, hospitals and patients see another benefit: reducing the risk of data breaches that can lead to identity theft. [...]

Identify theft is leaving hospitals with unpaid bills and consumers on the hook for costly treatment they didn’t receive. Data breaches, which include lost and stolen information, may cost the health-care industry in the U.S. as much as $7 billion a year, according to a survey conducted by the Ponemon Institute, a Traverse City, Michigan-based organization that studies privacy, data protection and security. Read more »

Latanya Sweeney, director of the Data Privacy Lab at Harvard, has been researching the issue of de-anonymization or re-identification of data for years. In 1998, she explained how a former governor of Massachusetts had his full medical record re-identified by cross-referencing Census information with de-identified health data. Sweeney also found that, with birth date alone, 12 percent of a population of voters can be re-identified. With birth date and gender, that number increases to 29 percent, and with birth date and zip code it increases to 69 percent. In 2000, Sweeney found that 87 percent of the U.S. population could be identified with birth date, gender and zip code. She used 1990 Census data.  In 2011, her research reported on the dangers that can arise from the re-identification of “anonymized” medical data, and her advocacy of a “privacy-preserving marketplace” for data.

Now, Forbes reports, a group led by Sweeney has been able to re-identify “more than 40% of a sample of anonymous participants in a high-profile DNA study.”

From the onset, the Personal Genome Project, set up by Harvard Medical School Professor of Genetics George Church, has warned participants of the risk that someone someday could identify them, meaning anyone could look up the intimate medical histories that many have posted along with their genome data. That day arrived on Thursday. Read more »

The New York Times takes a look at the issue of marketers’ gathering personal data about individuals:

A FEW weeks ago, a friend received a flier in the mail inviting her to an event in Manhattan for patients with multiple sclerosis. [...]

The thing is that my friend, who requested that I keep her name out of this column, does not have multiple sclerosis, an autoimmune disease that affects the central nervous system.

But last year, she did search online for information about various diseases, including M.S., on a number of consumer health sites. She also subscribed to an online recommendation engine where she looked up consumer reviews of local physicians.

Now she wondered whether one of those companies had erroneously profiled her as an M.S. patient and shared that profile with drug-company marketers. She worried about the potential ramifications: Could she, for instance, someday be denied life insurance on the basis of that profile? Read more »

Patient Privacy Rights and Microsoft are hosting a panel discussion, “Unintended Consequences: Patient Perspectives on the HIPAA Omnibus Rule,” on April 25 in Washington, D.C. Here’s more information:

While the Department of Health and Human Services offered some clarity on HIPAA’s broad privacy powers, patients are still largely in the dark. After 500+ pages of regulations, questions remain about what health providers should do to comply with HIPAA. Patients deserve to understand how their personal health information is protected, who has access to it, and how patients can manage their own data. How will the new regulations affect them and their healthcare coverage? How are healthcare providers changing their protocols, if at all? Is sensitive patient data more protected from security breaches, and if not, where can we go from here?

We hope to move the dialogue forward so patients can benefit from new technologies while understanding how their privacy is protected. Join us for a lunch conversation to explore these issues at the next installment of our @Microsoft event series.

• Joseph Conn, Moderator, Staff Writer, Modern Healthcare
• Iliana L. Peters, Health Information Specialist, Office for Civil Rights, U.S. Dept. of Health and Human Services
• Deborah C. Peel, MD, Founder, Patient Privacy Rights (PPR)
• Corrine Carey, Assistant Legislative Director, New York Civil Liberties Union (NYCLU)
• Hemant Pathak, Assistant General Counsel, Microsoft

Date: Thursday, April 25, 2013, at noon EDT
Location: 901 K Street, NW, 11th Floor; Washington, DC 20001
Register at: https://live.iplanevents.com/index.cfm?fuseaction=reg.page&event_id=2411