Data Breach Hits Close to Home
I took some time off work last fall to spend with my wife, who had just been diagnosed with a golf-ball-sized tumor in her brain that needed to be removed. With the help of a few well-connected friends, we were privileged to have her seen by one of the top neurosurgeons in the world, a surgical ninja at The Johns Hopkins Hospital in Baltimore.
The surgery was a great success, and the wife is just fine now. She carries nary a lingering symptom, visible scar or traumatic memory from the ordeal, save perhaps for the seemingly endless stream of bills and letters from our health insurance provider.
That is, until last week, when she returned from the mailbox with a letter from the hospital alerting us that she was among some 83,000 Hopkins patients whose hospital records may have been compromised on account of a lost backup tape.
According the letter, the lost tape contained data on new patients seen between July 4 and Dec. 18, 2006, or who had changes to their demographic information during that time. Among the data stored on the tape was the patient's name, mother's maiden name, father's name, race, sex, birth and medical record number. However, Hopkins was emphatic that there was no medical or Social Security data on the tapes.
I must have read the letter three times in all, and at first I was pretty alarmed. But looking back now, I must say I don't think I've ever read a more thorough breach notification. The letter explained in detail what they thought happened to the backup tape and listed a number of reasons why Hopkins believed the risk to patient privacy was low in this case (many other medical data breach notifications I've read ask you simply to accept their pat answer that there is little chance of the data being misused). The hospital created a very informative Web site for affected patients, and listed a toll-free number for people who don't have Internet access.
More importantly, the letter took the time to clearly explain what steps patients can take to protect themselves. Rather than stating merely that patients have the right to a free copy of their credit reports, the letter lists the steps consumers need to go through to get a copy of their credit report, what a fraud alert means, and how it may affect patients who later seek to obtain new lines of credit. In addition, the notification suggests patients stagger the ordering of their free credit reports from each of the credit bureaus over an entire year. Finally, the letter reminds recipients that scam artists may try to call victims pretending to offer "assistance," and that the hospital will not contact patients by telephone, e-mail or ask for personal information related to the incident.
The approach Hopkins took in response to this incident stands in stark contrast to the way some other health care providers have handled patient data losses of late. Two different Kaiser Permanente hospitals had lost laptops over the past nine months that endangered patient data, but I could find no Web site set up to alert affected patients about either incident, nor could I find any mention of either incident on Kaiser's news releases page.
Maybe the company was still reeling from a fine last year by the California Department of Managed Health Care, which found that Kaiser created a systems diagram Web site used as a testing portal by its IT staff that contained confidential patient information, including names, addresses, telephone numbers and lab results.
The phone number Kaiser set up for affected patients leads to a voice mailbox asking the caller to leave a message; the message promises a call back at some point. The Hopkins line explains pretty much everything in the letter, and then allows callers to speak with a real, live person at Hopkins' "identity safeguards" division.
Kaiser executives also were quoted in the press downplaying one of the incidents without any information to back up their claims. Of a stolen laptop containing patient medical records for patients in Colorado, company officials were quoted as saying that the still-missing laptop was stolen merely for its "street value," not for the data contained within it.
February 22, 2007; 11:45 AM ET
Categories: From the Bunker , Safety Tips
Save & Share: Previous: Serious Flaw in Google Desktop Prompts Patch
Next: Mass. Bill Would Make Retailers Pay for Data Breaches
The comments to this entry are closed.