Insecure Private Health Information

Another post from Ken Pope’s listserv on the problem of your insecure private data:

This morning’s *Health Leaders* includes an article: “Data Security
Inadequate at 71% of Hospitals” by Dom Nicastro.

Here are some excerpts:

[begin excerpts]

The HITECH Act has been under recent scrutiny for not improving the
safety of patient records, according to research from The Ponemon Institute.

For 65 hospitals mostly in the 100- to 600-bed range, 71% of respondents
say they have inadequate resources to prevent and quickly detect patient
data loss.

The same percentage of respondents say federal regulations like HITECH
have not improved the safety of patient records, research from the
“Benchmark Study on Patient Privacy and Data Securty” conveys.

Hospitals say that protecting patient data is not a top priority (70%)

Most at risk is patient billing information and medical records, which
is not being protected

Patients are typically first to detect a significant number of breaches
at healthcare organizations (41%)

[end excerpts]

You Are Digitally Insecure with Your Health Insurance

Here’s another example of serious privacy breach by an insurance company. It appears that many of these companies are just not that technically savvy, nevertheless they frequently put your information in digital format. Great advantage of that format: Easy to move around, replicate, access. Great weakness? Easy to move around, replicate, access.

Again, this is of particular concern for healthcare providers as well as patients/clients. Possibly more so with those in psychotherapy, since there remains unfortunate stigma attached with treatment for emotional problems or mental illness.

Ken Pope’s entire post on the matter, here:

*Information Week* includes an article: “Indiana AG Sues Wellpoint Over
Health Data Breach; Consumer health data was at risk for 137 days
through an unsecured Wellpoint website, alleges the suit filed against
the health insurer” by Marianne Kolbasuk McGee.

Here are some excerpts:

[begin excerpts]

Indiana’s attorney general office has filed suit against health insurer
Wellpoint for delaying notification of customers of a data breach
earlier this year.

Indiana law requires businesses to notify individuals potentially
affected by data breaches, as well as the attorney general’s office
“without reasonable delay,” according to a statement by Indiana AG Greg
Zoeller’s office.

However, the AG office alleges that data, including social security
numbers, health records, and financial information for about 32,000
Indiana consumers were potentially available to the general public
through an unsecured Wellpoint website for about 137 days, between
October 2009 and March 2010.

The data was submitted to Wellpoint from applicants seeking insurance

The AG office alleges that while Wellpoint was notified on February 22
and March 8 of this year that application records containing personal
information was accessible from its public website, Wellpoint didn’t
begin notifying individuals about the security breach until June 18, 2010.

In a statement from Wellpoint sent to InformationWeek in response to
seeking comment, the company said, “Anthem Blue Cross and Blue Shield is
committed to protecting the privacy and security of our members’ and
applicants’ personal information, in accordance with all applicable laws
and regulations.”

Anthem Blue Cross and Blue Shield is Wellpoint’s operations serving
several states, including Indiana, Colorado, Connecticut and Maine.

[end excerpts]

How Private Is Your Private Health Information?

Insurance companies have a lot of information on you, regulators call it Personal Health Information, or PHI. This information is now frequently digitized, which helps greatly in making records easy to access. It also means data is, from time to time, lost. Ken Pope, on his email mailing list, regularly posts on the topic of lost private data.

The sensitivity of private data is one reason many therapists opt out of taking insurance. A diagnosis can follow one around for years, potentially being labeled as a pre-existing condition leading to non-coverage. Private information can become less than private.

Here’s one of his posts, from October 20, 2010:

Today’s *Philadelphia Inquirer* includes an article: “Health insurers
say data on 280,000 Pennsylvania clients may be compromised” by Jane M.
Von Bergen.

Here are some excerpts:

[begin excerpts]

Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan said
Tuesday that a portable computer drive containing the names, addresses,
and health information of 280,000 Medicaid members in Pennsylvania has
been lost.

The affiliated companies together insure 400,000 people on medical
assistance in Pennsylvania.

Also stored on the drive were the last four digits of 801 members’
Social Security numbers, plus complete Social Security numbers for seven

“We deeply regret this unfortunate incident,” said the affiliates’
president, Jay Feldstein, in a statement released by the insurers.

“We take our responsibilities for safeguarding personal health
information very seriously.”

The insurers did not respond to numerous requests for information,
including questions about when and where the incident took place,
whether any complaints have been received, and which regulatory agencies
have been notified.

[end excerpts]