As hospitals and other health-care providers in Kentucky and across the country are adopting electronic health records to save money and improve care, they do so at some risk. The medical files containing insurance forms, Social Security numbers and doctors’ notes of about 300,000 Californians were posted recently on the Internet, available to anyone who might stumble across them or know how to search for them. “At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American’s sensitive medical information will be digitized,” The Associated Press reports.
“When things go wrong, they can really go wrong,” said Beth Givens, director of Privacy Rights Clearinghouse, a nonprofit that tracks data breaches. “Even the most well-designed systems are not safe … This case is a good example of how the human element is the weakest link.”
Generally, data breaches are the result of hackers who break into computers or thieves who steal the actual equipment. Sometimes they can just be be caused by human error. Leaks can also happen as data passes through health industry networks. “Dozens of companies can be authorized to handle a single person’s medical records,” the AP reports. “The further away from the health care provider the records get, the flimsier the enforcement mechanisms for ensuring the data are protected.”
One of the biggest breaches was in 2006 when a laptop containing data for 26.5 million veterans was stolen from the home of a government employee. The computer was recovered. This year, hard drives containing personal information of 1.9 million Health Net insurance customers were taken. They contained health histories, financial information and Social Security numbers. The matter is still under investigation.
In the wrong hands, “health records can be used for blackmail and public humiliation,” AP notes. “The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.”
Preventing data leaks is on the minds of Kentucky officials setting up the Kentucky Health Information Exchange, the state clearinghouse for EHRs. Participating providers have to sign several agreements in which they attest the information they obtain will be used responsibly. “The golden rule is this data will only be viewed by a provider who is providing care to a patient,” said Jeff Brady, executive director of the Governor’s Office of Electronic Health Information. To make sure that is happening, Brady said the software has an audit function, in which administrators are able to see who looks at a patient’s data, when they did, from what computer and what piece of data was examined. (Read more)