How secure are your medical records? The answer for most people is, “Not as secure as you think.” And after its latest data breach earlier this week, Oregon Health & Science University’s repeated security lapses make it an exemplar of the widespread failure to protect private health care information.
Before we get to OHSU, though, a bit of background.
Paper or password?
Your medical record – or, as it’s called nowadays, protected health information (PHI) — contains some of your most private, sensitive information. From embarrassing rashes to depression screenings, from your Social Security number to your sex life, this is information most people do not want floating around, viewable by random unknown individuals.
Not so long ago, medical records were kept on paper, in folders that filled shelf after shelf in a locked file room in the doctor’s back office. It was a cumbersome method but reasonably secure. To steal 3,000 charts, you’d need a key, a hand truck, and a cloak of invisibility (for sneaking them through the waiting room and out the door).
Today, health care reform has brought a mandatory migration to electronic health care records. The idea is for all your providers to be able to access your PHI, the better to provide coordinated care. But anything in electronic form is more difficult to secure than a hard copy, especially in large medical offices with lots of employees who all have a system password. The predictable downside of electronic record-keeping is data insecurity. A data thief no longer needs a hand truck for 3,000 records, and large-scale security breaches have become distressingly common.
WATCH – A horrifying parade of security failures, data breaches and HIPAA violations
Data insecurity on Pill Hill
OHSU is one of the largest health care organizations in the state, providing inpatient and outpatient care in every medical specialty, including psychiatry (46 providers) and psychology (14 providers). Of course, the more people on any computer system, the greater likelihood someone makes a boneheaded mistake.
In fact, OHSU has racked up a sizable tally of large data breaches, occurring almost annually for the past five years. The latest incident, July 28, was superlatively boneheaded — over 3,000 patient records were actually placed online, on the public Internet. As we all know, when data goes on the Internet, it’s about as secure as the front page of today’s newspaper.
OHSU’s announcement of the breach, as usual, minimized the damage and OHSU’s responsibility. But it admitted, “The data stored with the Internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address.”
Compromising tomorrow’s data today
In this incident, there’s even the possibility of unknown persons accessing the data in the future. OHSU explained: “There is no evidence that the data was accessed or used by anyone who did not have a legitimate patient care need to view the information. However, the terms of service indicate the data stored with the Internet-based provider can be used for the ‘purpose of operating, promoting, and improving [its] Services, and to develop new ones.’ OHSU has been unable to confirm with the Internet service provider that OHSU health information has not been, and will not be, used for these purposes.” (Emphasis added)
Yes, folks, they stored it on Google.
It’s the data breach that keeps on giving.
OHSU’s 5-year record of failure
This was not the first large data leak at OHSU – it wasn’t even the first this year. Breaches have occurred almost every year since 2008 and twice so far in 2013, compromising thousands of personal health records.
- March 25, 2013: OHSU notified more than 4,000 patients their data may have been compromised after a surgeon stored medical records on his laptop, which he took on a Hawaii vacation. The laptop was stolen – medical records and all.
- July 31, 2012: OHSU announced a thumb drive containing over 14,000 patient records, as well as confidential employee information, was stolen in a home burglary. OHSU, however, only notified 702 patients, saying the other 13,298 records did not have information typically used in identity theft or medical information that could be embarrassing. (Note this was OHSU’s opinion of what you would find embarrassing.)
- August 11, 2010: Up to 4,000 records were stolen from an OHSU psychologist who left his laptop in his car. Stolen data included Social Security numbers, names and diagnosis information.
- June 12, 2009: Approximately 1,000 medical records were taken when an OHSU physician’s laptop was stolen.
- Dec. 13, 2008: OHSU sent letters to 890 patients, telling them a stolen laptop may have held their medical records.
94%? Yes, 94%
OHSU is hardly the only provider with flimsy security. A 2012 independent study found that in the last two years, 94% of healthcare organizations have had at least one data breach, averaging 2,769 records each. Yet less than half of health care organizations said they perform annual security risk assessments. And the number of breaches is rising.
Wait — wasn’t HIPAA supposed to take care of this? HIPAA does contain stringent privacy protections, but there’s a difference between writing policy and actually keeping data secure, and while a data breach that violates HIPAA can net the provider a hefty fine, a fine can’t un-steal your Social Security number or un-tell the world your most intimate health information.
What can you do?
Electronic records are inherently insecure, but they’re here to stay. Most of the risk doesn’t come from anything you do, but from health care organizations with security practices that just don’t work.
When 94% of providers admit they have put PHI at risk, trusting your doctor’s office to keep your medical records safe would be naive. Is there anything patients can do?
Yes, says the Federal Trade Commission; there are certain measures you can take to spot data breaches early and reduce the overall risk. (Did you know you can get a complete list of every disclosure of your PHI?) Here’s the FTC’s guide on being a security-savvy health care consumer.