A contractor's enquiry on a public homework assistance Web site leaked medical records of 20,000 patients of Stanford University hospital last month.
The compromised information belongs to the patients who visited the hospital emergency room in 2009.
The hospital was informed about the information breach on Aug. 22. The detailed spreadsheet included the records of names, diagnosis codes, bank account numbers, dates of admission and discharge and billing charges. Social security numbers, credit card accounts, however, were not exposed.
Although the hospital in question launched a quick investigation to determine how the leak happened, the incident of the breach raises concern about the security of patient information in the U.S as many similar incidents of patient information breach have taken place in recent times.
Austin Center for Therapy and Assessment Breach, 2011
A Texas-based psychology center reportedly lost its laptop containing names, addresses, Social Security numbers and treatment information of 1,870 clients. The incident took place on Sept. 8. No one has been charged in the preliminary investigation.
Henry Ford, 2010
Patients' information of the Detroit-based Henry Ford Health System was leaked in 2010. The data that was stolen from a laptop included information about name, medical record number, date of birth, mailing/e-mail addresses, telephone number, treatment and doctor visits of the patients visited for prostate treatment between 1997 and 2008.
The data, however, did not contain information about the Social Security numbers or health insurance identification numbers.
Griffin Hospital, 2010
A similar incident took place in 2010 at the Griffin Hospital when information of 957 patients was leaked by a former hospital staff.
California Department of Healthcare Services, 2010
Nearly 50,000 of California's most vulnerable healthcare recipients lost their privacy due to a mistake made in the mail labeling. Social Security numbers of all the recipients were printed on address labels used in a mass mailing.
AvMed, Inc. 2009
According to HHS, a laptop theft from AvMed caused breaching of information of about 1,200,000 current and former subscribers, as well as their dependents. The personal information included names, addresses, phone numbers, social security numbers and protected health information.
North Bronx Healthcare Network, 2009
About 1.7 million New York City patients, staff members and others affiliated with four Bronx hospitals lost their confidential health data when thieves robbed the hospital's van containing all these important health records.
BlueCross BlueShield Tennessee, 2009
Approximately 1,023,209 members were affected by the information infringement. The theft of computer hard drive cost the patients their social security numbers, birth dates and diagnostic codes.
Kaiser Hospital, 2009
Kaiser was the first hospital which faced monetary penalty for breaching patient information. It had to pay a fine of $250,000. This was the outcome of the law enacted in 2008 after the much publicized breach of privacy at the UCLA Medical Center involving Britney Spears, Maria Shriver and other celebrities.
Of all the 314 incidents of patient information breach mentioned in the Web site of the U.S. Department of Health and Human Services (HHS), most of the cases are either laptop thefts or IT breach.
U.S. Regulations to Control Patient Information Breach
There are a few regulations such as the Health Insurance Portability and Accountability Act (HIPPA) 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which ensure federal protection for personal health information and provide patients with a range of rights with respect to that information.
As part of the American Recovery and Reinvestment Act of 2009, HITECH Act was enacted to address privacy and security concerns related to the electronic transmission of health information.
In spite of these regulations, almost 10 million patients were affected by information breach in 2009, reported HHS. The 2010 Data Breach Investigation Report, conducted by Verizon Business RISK team in cooperation with the United States Secret Service, revealed that 70 percent of the cases of breach happened due to stealing of data by outsiders whereas 48 percent was caused by insiders.
Forty eight percent of the infringement took place due to misuse of information whereas hacking played a pivotal role in 40 percent of breaching cases. Factors like weak or stolen credentials, malware, SQL injection and data-capturing also play a major role in exposing patients' private information.
Educating the hospital staff about the necessity and significance of keeping patients' data security might improve the situation, experts believe. Enactment of better technological means and following few necessary steps such as deleting unnecessary data, ensuring controls, checking web applications, auditing user accounts can also help protecting patient data from being breached in the future.