PRIVACY, OR LACK THEREOF
Providence Bares Patients’ All In Records Theft
By Dan Richardson, 1-26-06
In what must rank among the top (bottom?) examples of corporate jack-assery, Providence health group has lost medical records for 365,000 patients.
Or, rather, 365,000 Oregonians and Washingtonians have lost their medical records — and, in many cases, their Social Security numbers and other identity information — to a thief, who stole a set of backup computer disks. Unencrypted disks. From a Portland-area Providence employee's car. Which was left unsecured in a driveway. Overnight.
Now, we're talking medical records. The results of your STD test, your pap smear, your prostate exam. But don't worry, says Providence, this only affects patients who received home services from Providence... which means, only the ones who needed in-home help. The most vulnerable, in other words.
Providence runs several Northwest hospitals, including the one here in Hood River. (One might ask, how? given that their execs and techs flubbed up something as essential as medical record privacy.)
There's no evidence that identity thieves have yet begun to use the information to impersonate or defraud people. Of course, that evidence might be easier to come by if the Clackamas County Sheriff's Office hadn't had to suspend its investigation of the theft due to lack of evidence from the scene. Or if Providence officials had come clean sooner — the theft happened a month ago, and word was released just this week.
The records could be in a landfill somewhere by now. Or in the hands of some meth-head ID thief who knows just what to do with them.
Providence officials say they make backup medical records in case of system failures and emergencies. Fair enough. But why not simply make backup disks, walk them down the hall to a second office, and place them in a fireproof safe? That keeps, no would keep records secure, separated and backed up. Why, why, why have a policy of sending records home with one of the office dunces?!
Unencrypted records?!
"What we didn't do was evaluate the practice of taking it home. That's where we fell short," Rick Cagen, Oregon regional CEO for Providence, told The Oregonian.
Didn't evaluate? How much evaluation does keeping the medical records secure take? That's not lack of evaluation, it's just plain old-fashioned stupid. Thoughtless. Cavalier.
You can bet that if Cagen had a disk with his personal financial information, Social Security number, or bed-wetting habits, mental health treatments, you-name-it — in other words, his medical record — he and other officials wouldn't have to evaluate whether it's a good idea to send the disk home with some employee.
Electronic medical records are all the rage in the medical community. They're supposed to be more efficient and effective than paper records. But here's the thing: No one's going to lose 365 folders of paper records, let alone 365,0000. Electronic records don't just make things easier — listen up, Cagen and company — they create an added ethical burden, because they're easily lost if placed on handy disks.
Providence needs to fire somebody, and make somebody else accountable for basic records security. Buy that safe, gentlemen. Encrypt your records. Keep them someplace more secure than a glove box. You see, "First, do no harm," doesn't just apply to physicians, but to all of you who work to help heal people. Even the guys in suits, and their office dunces. Well, you've done harm, or let it be done, and undoing it will be a tough duty, indeed.
Like this story? Get more! Sign up for our free newsletters.
Comments
Add your comment below
1. It's rather cowardly to call names when one remains anonymous. But thanks for the thought.
2. The article states, at the very top, that this was an error involving home health services. Furthermore, I took pains to point up the ladder, to the chief executives. ... Indeed, it takes a bit of insecurity to read criticism of them as a blanket indictment of all 50,000 Providence employees. I mean, really!
3. So let me say once and clearly: Providence, as a system, does a fine job delivering medical care; and, what's more, the staff acts -- again, in my experience -- with a certain admirable professionalism. At least, that's true of the several I have known from among the 50,000.
4. I'm happy to hear that IT and, I presume security, standards are higher "within Providence mainstream" than with the folks who let this breach happen. That said, here's an honest question you may be able to answer: Doesn't the sheer volume of records lost argue that home health is not exactly a rogue division?
5. Another question for you: Without compromising your security, perhaps you can tell us -- what are your basic backup and security procedures for electronic medical records?
6. Finally, I stand by the jack-assery bit. Yeah, it's snarky; it's not what you'll read in The Oregonian. But it's also true. Medical records should be handled with utmost security -- and they weren't. Remember what reputable journalism does: It comforts the afflicted and/or afflicts the comfortable. I'd say some folks there were too damn comfortable, cavalier and complacent. Let 'em take some heat.
Dan
I just saw a news report about the Providence fiasco, and I find this to be the height of irony:
Providence will not disclose what, if any, disciplinary action has been taken against the employee who lost the records. WTF? The dumbass who failed to protect the security of my records, along with the records of 364,999 others, is having his or her confidentiality respected. It must be nice.
It was a him, and he didn't call the police until 2-1/2 hours after it was discovered. Yep. 2-1/2 HOURS after he discovered it, according to the police report. The web site http://www.providenceidentitytheft.com has the police report if you want to read it.
Also of interest - the police report noted a lack of concern on the part of the employee about the theft of the data. So did the private investigator that Providence hired. Hummm, if it had been HIS data he might feel otherwise.
Good luck to all.