Personal Identity Thieves Love Health Records

medical-recordsSecurity breaches are up 32%—but because of a loophole, if your patient data is stolen, you may not even be told about it!


Why wouldn’t an identity thief love electronic patient records? They are a veritable goldmine. Each record contains the patient’s name, Social Security number, birthdate, contact info, and insurance, not to mention private health and treatment data. Security breaches cost the industry $6.5 billion dollars—most breaches occur when a computer is stolen—with the number of thefts increasing dramatically each year; this year there were 32% more breaches, the New York Times reported this week.

That 32% comes from data reported to the Department of Health and Human Services. But here’s the zinger: Federal law requires health organizations to report data breaches to HHS only if they affect more than 500 people. And it requires disclosure only in cases that “pose a significant risk of financial, reputational, or other harm to the individual affected.”

Who gets to decide this? The company that was handling the data—and was responsible for the breach. It’s in their own interest, of course, to minimize their exposure. So a record listing your name alone would be ignored; 499 complete records may be ignored; and any number may be ignored if supposedly not posing a risk of harm. In these instances, victims would never be notified.

The CDC says about 57% of doctors’ offices use electronic medical records (EMRs); just last year it was only 45%. EMRs are a requirement of the Affordable Health Care Act, and as more and more hospitals and healthcare systems begin to comply, the problem will only get worse in the future.

In October, a desktop computer containing unencrypted records on more than four million patients was stolen from Sutter Health, a nonprofit health system based in Sacramento. The theft is now the subject of two class-action suits, each of which seeks $1,000 for each patient record breached.

You may recall that ANH-USA has consistently opposed a nationwide mandatory electronic records system. We believe that allowing hundreds of thousands of parties to access your records, including mental health and other sensitive information, is by definition a serious invasion of privacy. At the very least, patients should be able to opt out.

Another problem is that EMRs allow state medical boards to go on “fishing expeditions” targeting integrative physicians, because they can more easily search to see what treatments the physicians are using that may be outside some arbitrarily and vaguely defined “standard of care.” Fortunately, EMRs are only mandatory for doctors who participate in insurance or other federal programs; many integrative physicians do not take insurance and do not use EMR. Unfortunately this just means that the patients have to pay twice for healthcare, once for insurance they won’t use, and once in cash to the physician of their choice.

Of course, it’s not only electronic data that can fall into the wrong hands. In Minneapolis last month, sensitive medical information was found on the back of a child’s drawing she had made at elementary school—including the patient’s name, account number, birthdate, and job. An attorney’s office had donated old scrap paper to the school for an after-school program; the attorney had been hired by the patient after a car accident, and the office employee who made the donation didn’t think there was any personal information on the papers. The attorney apologized for the mistake, saying that the donation was a violation of the firm’s privacy policies.

The elementary school sent out a message to every child in the after-school program to check if any other medical records have ended up in students’ homes, and asked students to return them.

Of course, if some cyber-terrorist destroyed the electronic systems, then it might be nice to have paper records like the ones that ended up in elementary school.

The larger problem with government mandates is usually one of unintended consequences, especially when we are all forced into a one-size-fits-all pseudo-solution. If government would leave medical professionals alone, they might come up with more creative solutions to the record-keeping problem, solutions that protect our privacy and take into account our individual needs and wishes.

27 comments

  1. I have just written an extensive Editorial to the Journal of Emergency Medicine on Personal Privacy Protection. When my email account was pirated by dangerous individuals who wanted money from my colleagues and family members, I was faced with a financial crisis that endangered myself and others I correspond with. With the Federal Government, it is hard to find personal privacy protection and its very hard to trust anyone!! I am a frightened physician who has been subjected to pirating and fraud.

  2. We are members of Kaiser which has system wide EMR. A couple of years ago, my husband passed out — caused unknown at the time. The paramedics took him to the nearest Kaiser which was 100 miles from our home base. Because the EMR was available to the doctors there, they were able to access records of blood tests from only 5 days previously and determine his red blood count had dropped precipitously. The result was accurate diagnosis and appropriate treatment immediately.
    He might not be alive today if the EMR hadn’t been available. That’s a greater risk than identity theft in our book.

  3. Most of our medical records are now out-sourced overseas for transcription. India and other countries receive these, transcribe the record, and send it back.There is no way that the U.S. can control how well these foreign countries are safeguarding this information.
    IN addition to the privacy risks, there has been a loss of American jobs. Medical transcriptionists in America make about half the salary that they used to make (~ 10 years ago) because they have to compete with what companies are paying the foreign workers.

  4. Medical Records are always at risk due to the present laws and the people handling them…the audit in the chain of command is negligible compared to the audit chain of command in a banking system or financial system.

  5. The biggest offenders are the govt’s own claims processing contractors ( partners). They are not covered under HIPPAA and Congress gave all govt contractors immunity from prosecution and they can’t be internally audited. the ‘ insiders’ state that over a trillion dollars has been stolen from medicare by stealing the claims and id of patients and turning them into multiples. in my case alone , into 17, by creating multiple suffixes on the ssn of myself and husband. This started 8.08 and went retro on all claims back to 1/06 and continues. The patient is liable for the stolen monies as an overpayment against themselves and estates. since 2005, one can’t get a letter of waiver as one gets on a stolen credit card as the former Sec of HHS Tommy Tompkins signed a memorandum of understanding that Social security could issue them but they have yet t o implement it. Govt contractors do not have the authority to waive public debts. This is not a hardship waver where one got the benefits through an error. This is one : against euity and good conscience and no personal financial info has to be provided. worse than this is the on-going proactive of altering the diagnosis codes on the claims in order to circumvent the govt’s responsibility of sending recovery letters to primary payers such as workers comp, car accident insurer, etc. Estate atty’s in the Seattle region started getting the overpayment letters and caused a ruckus, so they are are being suppressed. You can’t learn about this form Mymedicare .gov as its programmed to hide the theft.( you leave the suffix off when requesting the claims) I brought this to the Attn of officials and they have ignored it as that , itself is a contract. one financially interlocking company founded by investors of the federal reserve who get dividends are one of the main govt contractors including SSA’s. They use an illegal , offline computer system. !-800-Medicare agents did a great job for almost 2 years documented and filling out the fraud reports, only to have their CEO at vangent refuse to forward them into Medicare in violation of their contract and now they are forbidden to ‘ see’ fraud although they will usually detect tit first. The fraud hot line is another govt contractor and that’s useless. even complaints sent direct to Medicare fraud office are not docketed in nor are the stats reported to congress. the opposite has occurred; the ‘alleged thieves’ were praised as doing a great job. Where is the money? it went to the federal reserve to be sent on, and no one has seen it except the European banksters. Few know that no govt funds are sent to any one, even to another govt agency , until it goes back to the Federal reserve first. I have over 5 million either by stealing id and claims , like at medicare or the million to be put in trust for my federal workers comp injury at OPM that never arrived after leaving US dept of labor and coded in and then there is the missing Part B Medicare premiums for over 5,000 due to Affiliated computer services coding the system for the $250 stimulus payment to not have a field for workers comp being involved. Linda Joy Adams with files and monies missing in 5 agencies under the control of ACS.

  6. This is sick. We were forced to participate in HIPAA and now it needs to be changed. So fix it.

  7. There is an even more insidious consequence of universally available electronic health records.
    it becomes impossible to get an independent second opinion from a practitioner because he has easy access to the records of the patient seeking that opinion.
    i have watched the expression on a physician’s face change from one of optimism upon examining a patient to one of serious pessimism after reading some other practitioner’s opinion – resulting in the second practitioner’s refusal to treat.

  8. Keep our records private. The government has no right to our personal health records.
    When did we the citizens vote to approve a “big brother is watching” government?

  9. My medical records have false diagnosis on them, so they can do just as much harm as good.

  10. All the more reason to go overboard and stay healthy and away from doctors, and just another reason why we must replace the Senate along with the president in eleven months or it is only going to get much worse.

  11. If we had “single payer” health care, only they would need the info and could keep the records to themselves.

  12. My take……although id theft is a big problem it doesn’t surprise me that the medical people are the opening through which theft comes. To think they would solve the problem is not realistic. In most ways, doctors ARE the p roblem.

    1. This comment seems un-informed to me. Doctors ARE the problem? No, really??? It couldn’t possibly be our oversized government that wants total control of your health records for future use in descision making!
      A quick check of history reveals that in the early 1900’s when the Socialist ideology was coming over from Europe the “intellectually elite” [note the quotes] wrote, talked and propagandized about putting sterilization chemicals in the water of poor and black communities to genetically “purify” our nation and get rid of the weak, stupid and lazy. The Progressives [yes the same Democrate fraction that uses the same name], now back in power are back at it again, AKA “ObamaCare”. Did it escape your attention that 90% of ObamaCare was written by other-then-elected-Congress before he took office?

      1. Oh, good Lord! Please, please get a grip on reality. The reality is that huge numbers of Americans have no access to health care– even less access to the natural care that people writing here prefer than they have to mainstream care. Progressives have been trying to change that so that we have an equitable society in which everyone has a chance to stay alive and in good health. Progressives are about power to the people, not power to the government. Health care is a basic human right and basic human need. What the current administration has done is still woefully inadequate in addressing this need, but it’s a lot more than previous administrations have managed. Cass, if you get seriously sick or get hit by a bus or something, I hope the social safety net that you hate so much will be there to take care of you.

  13. Who’s big idea was it to post personal private patient health information anyway. What the hell was wrong with the old system. I think a company that mines this information should be held responsable to contact the person even if their info was stolen.

    1. Private patient information is not “posted” anywhere. It is used to submit insurance claims and to coordinate treatment between health care providers. The electronic systems used have a lot of security safeguards– which, of course, are not necessarily as secure as we might wish.
      As the article points out, it’s individual providers’ computers that are most at risk because they store a lot of information about patients and can easily be stolen.
      Elene Gusch, DOM
      (Doctor of Oriental Medicine– I do my own insurance filing for my patients so I’m very familiar with all this from the inside.)

  14. I am deeply troubled by the electronic medical rrecords and have even told my doctor’s office. Being in an ectronic format, they are more easily stolen and it disturbs me they are not even incripted.
    I work in an office where I deal with personal medical and “social” information for elders and someone could easily hack into their records. Alsoelectronic record could easily be lost if there was a disaster that incilved electrical power outages, surges, and EMP. Yes, Ido know paper files could be damaged by fire, but so van electronic records.
    Medical records should be treated as financial and military data are…encripted, kept in paper files. and VERY secure.
    As far as safety during disaster, here is a case in point. A friend of mine, now retired, was an operating room supervisor. She had the electronic records, but made SURE paper records were kept in place too. The power went out during a blizzard a few years back. The auxilery generators came on, but the stystem did not power the computers….the entire hospital was in a panic….with NO access to medical records………..The only place functioning normally in the entire hospital was……yes ,you guessed it……..the operating room! And this was durring a major blizzard, a disaster in the making. What would happen if there was a multi-car pile up while it was snowing…..a real possability?????? The ER even had their hands tied. Yes, computerized records seem wonderful, but its not what its cracked up to be.

  15. Dear ANH,
    I have a very common name used by many people when checking into motels with a person other than their own wife. I use up hours every month setting the record straight. My understanding wife died this year. I get her bills and everyone else’s. I am plagued by double and triple billing because every bill that has my name is sent to me whether it is mine or not. This has sky rocketed since the computers have arrived.
    Who said that computers would help?
    M

  16. Great article—— Something everyone better start thinking about——— I was told on this end by my Doctors that by the end of 2012 the majority will be using EMR’s.

  17. Very timely article as I have spent at least 40 hours on the phone trying to clear up info. posted on my credit reports by somebody stealing my I.D. I was fortunate that they applied early on to a company for credit that I already had & they called me to clear it up. I never understood when it changed to using our SSN as I.D. Everywhere! Doctors’ offices especially. How dumb is that?

  18. Has anyone checked Obamacare—-which I would bet requires EMRs so that DOCTORS and CARE can be controlled by the GOVERNMENT. Doesn’t that sound FANTASTIC? Since our Government cannot successfully control our money—why would we trust them with our health and records of it?
    WAKE UP AMERICA!! Protect our future and our kids!!!

  19. While EMR is opening us to new issues with privacy violations and theft, there are also excellent reasons to adopt it, and I would like to suggest that readers become better informed on this issue. What was wrong with the old system? One example: patients being put on drugs that interact or are overkill because one doctor doesn’t know what another has prescribed.
    Single-payer health insurance would solve a lot of problems, but not this one. Health care providers have to communicate with the private insurance companies in the same way. Every health care office would still have patients’ information in its own computers and paper records, ready to be stolen or misused.
    “Doctors are the problem”? Excuse me, then why do I bother serving my patients, with no office staff to help me, by personally and carefully filing their insurance claims, using a secure clearinghouse? How am I being the problem? What, do you think I’m going to go out and sell their social security numbers someplace?
    So far, the cost to set up electronic records systems has been prohibitive for solo practitioners with small practices like mine, and the systems aren’t all that great yet, so I haven’t joined the revolution. But eventually it will be as normal as the online discussion we’re having right now– for good or ill.
    Elene Gusch, DOM
    Doctor of Oriental Medicine

  20. Dear ANH
    You said:
    “Another problem is that EMRs allow state medical boards to go on “fishing expeditions” targeting integrative physicians, because they can more easily search to see what treatments the physicians are using that may be outside some arbitrarily and vaguely defined “standard of care.” ”
    I would wonder if such “arbitrary” definition is in fact designed to support Big Pharma. But we all know that….
    As for “standard of care”, I would suggest that this is medical dictatorship and not “guidelines” or “standards” as they euphemistically call them.
    Doctors need to be free to practice medicine according to their own best judgement, and in consideration of a patient’s individualized needs. It only makes sense.
    Cookie cutter approaches don’t work and may even do harm.
    “First, do no harm”……undo “standards” of medical “care” imposed by the government and its sugar daddies!

    1. PS I also have to wonder who would be interested in stealing literally millions of records? This is not the work of an individual or even of a business. It’s got to be the government itself. Who else would want to study such huge numbers?
      If I understood and remember correctly, according to the ACLU, the Patriot Act makes our private records public and the possession of the government. Let’s start with that, right there.
      The Patriot Act needs to be overturned.

      1. Aaak, correction, sorry for so many messages….
        The Patriot Act makes our private *medical* records public, unconstitutionally so. Given unilateral FBI and police arrest/seizure/subpoena powers under the Patriot Act, the same surely applies to our other private records too. All of which, at this point, are computerized and are fair game.
        “The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated; and no warrants shall issue, but upon probable cause, supported by oath or affirmation, particularly describing the place to be searched, and the person or things to be seized” —4th amendment

  21. It is good to read an article in which you discuss Calculated Risk’s cheerleading for the housing recovery without going into unwarranted vitriol. I agree that “less pressure on price declines” reflects some caution and uncertainty, and that kind of contradicts your characterization of cheerleading.

Comments are closed.