It was announced recently that nearly 5 million patient records of military personnel were stolen. There was no elaborate hacking, and no technical skill was required on the part of the thieves—some tapes containing these records were stolen from a car belonging to an employee of SAIC who was prosaically transporting them between federal facilities in San Antonio Texas. The data included not only sensitive medical information, including prescription records, but also the names, addresses and Social Security numbers of victims.
Since September 2009, around the world, about 15 million patient records have been purloined, "mislaid," or otherwise compromised. Most famously, Stanford University Hospital recently announced that the medical records of approximately 20,000 emergency room patients had been posted on a public website for nearly a year. Within a few weeks of that announcement, a class action was filed under the California Confidentiality of Medical Information Act which, like many other state and federal statutes here and abroad, requires safeguards to ensure the privacy of such information. In answering the suit, Stanford illustrated just how many people have access to that sensitive data in the ordinary course of business. Stanford said the information had been securely transmitted to a data collection service; that the collection service had transmitted the data to a graphics company in order to prepare a visual presentation based on the data; and that an employee of the graphics company had improperly posted the information on a website—a breach which managed to go undetected for at least a year. Stanford says it acted appropriately, and intends to defend itself against the lawsuit.
[Related Article: Data Breach Hits 5 Million Soldiers, Family Members]
However, even if your data does not get posted on a public website, lots of people can see just how much Xanax you've been taking.
In the United States there is currently a major push to digitize all patient records. Similar efforts were undertaken some years ago in the UK and in Australia. About $45 billion of stimulus money was allocated to the effort, accompanied by a persuasive case delineating its benefits: the instant availability of information to doctors, which might well save lives; the elimination of many forests worth of paper records; the ultimate promise of very substantial cost savings; an unprecedented clarity of the information itself (in other words, who could read a doctor's handwriting anyway?); and best of all, given the state of the economy, the creation of over 200,000 jobs.
In an ideal world, one could hardly argue with the benefits of digitization. The problem is that the world is a somewhat less than ideal place.
What is happening in the United States and elsewhere is that the good news of easy access to information is running way ahead of the bad news relating to the loss of privacy about that information. Time and again it is demonstrated that corporate and government attitudes about sensitive personal information relating to individuals are, shall we say, a tad nonchalant. Details about the SAIC breach are scarce, but it sure sounds like somebody just left the tapes in an empty car all day in a public parking lot somewhere. SAIC's spokesman made an astute observation in the San Antonio Express-News that if the tapes hadn't been left in the car to begin with, they couldn't have been stolen.