The Washington Post reports on security breaches concerning the privacy of patient data:
As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials.
Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.
On May 14, federal prosecutors charged one of the hospital’s medical technicians with violating the Health Insurance Portability and Accountability Act (HIPAA). Prosecutors allege that over a 17-month period, Laurie Napper used her position at the hospital to gain access to patients’ names, addresses and Medicare numbers to sell their information. […]
Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients’ files onto a personal laptop, which was stolen from the contractor’s car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital news release, those files included names, addresses and Social Security numbers — and, in a few cases, “diagnosis-related information.” […]
Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen medical information for almost 800,000 people — more than one of every four residents of the state. […]
As recently as five years ago, it’s possible no one outside Howard University would have known about the incidents there. But reporting rules adopted as part of the 2009 stimulus ensure that the public knows far more about medical data breaches than in the past. When a breach occurs that affects 500 or more patients, health-care providers must notify not only HHS but also the news media.