March 29, 2024

Breaches Lead to Push to Protect Medical Data

Such lapses, frightening to consumers, could impede the Obama administration’s effort to shift the nation to electronic health care records.

“People need to be assured that their health records are secure and private,” Kathleen Sebelius, secretary of health and human services, said in an interview by phone. “I feel equally strongly that conversion to electronic health records may be one of the most transformative issues in the delivery of health care, lowering medical errors, reducing costs and helping to improve the quality of outcomes.”

So the administration is making new efforts to enforce existing rules about medical privacy and security. But some health care experts wonder if the current rules are enough or whether stronger laws are needed, for example making it a crime for someone to use information obtained improperly.

“The consequences of breaches matter,” conceded Dr. Farzad Mostashari, a former New York public hospitals official who recently became the Obama administration’s national coordinator for health information technology. “People say they are afraid that if their private information becomes known, they may not be able to get health insurance.”

In the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to the government data. One particularly egregious case involved information about 1.7 million patients, staff members, contractors and suppliers of Bronx hospitals and clinics operated by the Health and Hospitals Corporation, the New York public health agency. Their electronic files were stolen from an unlocked van belonging to a record management company.

The affected patients got the disquieting news that their medical and personal information, like Social Security numbers, had been violated when their health care providers notified them under federal rules.

Showing just how lax security can be, the inspector general of the Department of Health and Human Services said two weeks ago that the agency had found dozens of vulnerabilities in systems to protect records of patients at seven large hospitals in New York, California, Illinois, Texas, Massachusetts, Georgia and Missouri. Auditors cited such problems as personal information that was not encrypted and was stored on computers that could be easily used by unauthorized users.

Auditing teams are now inspecting eight more hospitals, said Lori Pilcher, an assistant inspector general at Health and Human Services. The hospitals are not being identified to avoid alerting hackers, she said.

Another big breach was reported in March on the official Web site by Health Net, a California-based insurance company, which notified 1.9 million health plan members that records with their personal information were missing.

Health Net said I.B.M., which was managing its information system, told the insurer that the records could not be found.

“The health care industry is not as vigilant as they should be about protecting private information in a patient’s medical records,” said Representative Joe L. Barton, a Texas Republican who is co-chairman of the Bipartisan Privacy Caucus in the House.

Mr. Barton knows from personal experience. His own records after a heart attack, along with several thousand others from a research project at the National Institutes of Health, were “on a disk in a laptop in somebody’s trunk that disappeared,” he recalled. “I was stunned.”

The Obama administration has levied a string of stringent penalties for egregious violations of patient rights under the most commonly cited law, the Health Insurance Portability and Accountability Act, or HIPAA, of 1996. Health information is supposed to stay private under those rules, but research has shown that it is not that difficult to connect names and addresses to nominally anonymous data with Internet searches and computerized matchups.

Article source: http://feeds.nytimes.com/click.phdo?i=6a28ff2dd99ebb8042a1cc5aa0b1dc02