Your Medical Records May Not Be Private: ABC News Investigation

Sept. 13, 2012 — -- You walk into the doctor's office. They lead you to a private room and shut the door. The nurse enters writes on a chart (or maybe an iPad) and shuts the door. A doctor enters and shuts the door.

It all screams of privacy -- privacy you expect.

But what if you were to find out those medical records containing your private history, family history and medication history weren't so private after all?

Check out these tips and more at the end of this article for information on how you can protect your health records.

Julie, a lawyer from Boston, discovered that her sensitive health information was available to anyone who worked at the hospital.

"My expectation was that my records were going to be private, especially my therapy records," Julie said. "And if another doctor wanted to see my records, they'd ask me and then I'd give my authorization for them to view my records if they needed to see them."

Julie, who requested her last name not be used, was diagnosed with bipolar disorder in her late teens and began seeing a psychiatrist in 2002 after speaking with her primary care physician.

She, like millions of Americans, thought her conversations with her psychiatrist were confidential.

"I thought I had protection under HIPAA (the Health Insurance Portability and Accountability Act) for my psychotherapy notes to be private and I thought only my psychiatrist could see those," the 42-year-old said, adding that she noticed over the years her physician started entering them electronically.

What she didn't realize was that her physician's notes could be accessed by doctors and other health-care providers who worked in the same health-care system (6,000 doctors and nine affiliated hospitals) to have access -- information she learned after going to see an on-call physician for a stomach issue and realizing he knew about intimate relationship information only disclosed to her psychiatrist.

Concerned, she requested a copy of her medical records from the health care system.

Within those records she saw every note, every meeting, every conversation she had with her psychiatrist.

"It was pretty traumatic because I felt that, you know, this man read without -- against my wishes -- without my consent," Julie said. "He read private information that I disclosed to a therapist that I didn't even tell my best friends about."

Medical Records Online

And while most hospitals have rules about who may access medical records, compliance for the most part is not strictly regulated.

In fact, an ABC News investigation found that often medical information is so unprotected, millions of records can be bought online. Because so many people have access, the entire system is vulnerable to theft, experts told ABC News.

To see exactly how easy it was to find medical records online, ABC News enlisted the help of IT specialist Greg Porter, a consultant with Allegheny Digital.

"This isn't very sophisticated," Porter said. "If you can use a Web browser and you can search to www.google.com, you can begin to try and obtain some of this information."

With two clicks of a mouse, Porter found somebody willing to sell a data dump of diabetic patients with information including their names, birth dates and who their insurance provider was, among other details. Another seller offered 100,000 records of customers who purchased health insurance in the last three to 12 months.

"Typically, what we find are things like first name, last name, address, medical condition, whether they were a smoker, diabetic patient, perhaps even as intensive as, or invasive as whether they are HIV-positive or not," Porter said. "Some of the most intimate information about all of us potentially could be revealed if appropriate safeguards aren't put in place.

How Does It Get Out?

Many of the breaches occur through theft or hacking of a computer that contains medical records, loss of the records or unknown reasons.

Security professionals are seeing an increase in theft via the "insider threat," Porter said.

"It's a depressed global economy," Porter added.

Thieves might approach medical staff and offer upward of $500 per week for providing 20 to 25 insurance claim forms, medical records or health financing records, Porter said. Those documents fall under HIPAA security rules and are considered protected health information.

In June, a hospital medical technician at Howard University pleaded guilty to selling patient information, including names, birth dates and Medicare numbers, for $500 to $800 per transaction for more than a year.

In August, a hospital employee at Florida Hospital Celebration was arrested for accessing more than 700,000 patient records in two years.

According to the FBI, Dale Munroe accessed car accident victims' date and sold it to someone who passed it on to chiropractors and attorneys.

And this week, the University of Miami Health System said that two workers had "inappropriately" accessed patient data and "may have sold the information to a third party."

On the black market, "health information is far more valuable than Social Security numbers," said Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights.

ABC News' searches found one seller offering database dumps for $14 to $25 per person. After a quick email inquiry into the sale of records, ABC News was sent, unsolicited, 40 individuals' private health information, including their names, addresses and body mass index.

Another inquiry yielded an offer of more than 100 records that, if purchased, would have included everything from Social Security numbers to whether someone suffered from anxiety or hypertension, or even their HIV status.

ABC News contacted patients from one of the lists to see if they knew their information was being sold over the Internet and if they had consented.

One victim named Rafael said he had not "recalled" giving anyone permission to sell his information.

"I'm appalled, I'm disgusted and I'm very much concerned," Rafael said. "Who's giving out my personal information like that? I thought there were security and safeguards for these things. I thought … your medical records are confidential."

Who Uses This Information?

Purchasers of private medical information could use it for medical fraud.

More than 50 million people in the United States didn't have health insurance as of 2010, according to the U.S. census. That has led to a surge in medical identity theft as a means of obtaining medical care, Porter said.

However, corporations, including pharmacies, drug manufacturers, insurance companies and even hospitals, also might purchase the medical information.

Pharmaceutical companies often use it to better target their consumer, Porter said.

"They've spent years of research and development looking for a particular product to treat a certain patient condition -- diabetes, for example," Porter said. "So they would have an interest in knowing, perhaps, who some of these patients are. Why? So maybe they can customize some marketing efforts and some detailing specific to that patient demographic to help sell their medication, ultimately."

While some insurance companies might not seem like a target for the sales because people may assume they have the information, many health insurance companies try to purchase an individual's past health information to determine the premium to charge and whether to even provide coverage, multiple sources said.

Some hospitals use the information to help target expensive and new treatments via direct mail, sources added, and are also buying the data to try and gain a better picture of local residents.

"They've had to comply with HIPAA legislation and the HIPAA privacy act since 2004," Porter said. "And [they've also had to deal with] the HIPAA security rule, we're talking about PHI (personal health information), and digital format since 2005. So this is coming up on seven years and we're still seeing the escalation of these breaches."

Widespread Data Breaches

According to the HHS Health Information Privacy Tool, there were at least 78 breaches so far this year affecting 500 or more individuals, many affecting thousands, some tens of thousands.

Known to those in the health IT world as the "Wall of Shame," the HHS site lists more than 21 million individuals who have been victims to date.

The Privacy Rights Clearinghouse found more than 130 breaches so far in 2012 -- breaches affecting any number of individuals.

Its website notes a breach affecting 102 individuals occurred recently and that "an employee was fired after an investigation revealed that patient records were accessed without legitimate cause."

"It does certainly speak to a lot of organizations struggling with how to effectively assess risk to medical records and how to adequately protect it," Porter said.

In the meantime, for Julie and Americans throughout the country, that is the way the system works.

A Fix?

However, Peel believes ways to fix the privacy vulnerabilities are available.

"Technologies exist today to allow you to selectively share parts of your record that are relevant on a need-to-know basis with your other physicians and no one else, but we don't have those technologies in wide use," she said.

For Julie, privacy is a battle she continues to fight.

"I asked … please restrict the records and of course they said 'No,'" she said.

"Let me also assure you that our physicians and other staff access information on a strictly 'need to know' basis and as such, we do not restrict access to clinical information from any department or physician," the hospital told her. "I take your concerns very seriously and understand your need for privacy with your psychiatric records. Sometimes it can be a challenge to balance access to records for patient care purposes with the need for privacy."

Since discovering her records were available to the whole health system, Julie has stopped seeking care out of concerns for her privacy.

In a response to ABC News, that hospital system, which ABC News is not naming, said: "Sharing of information among providers who are treating the same patient is in compliance with federal law and is described in the privacy notice given to every patient at the beginning of treatment by the hospital.

"The sequestering of critical mental health data in electronic health records relevant to the patient's safety (e.g., Psychosis, addiction, suicidality) may pose hazards to the patient that are no less significant than would be incurred by the sequestering of vital physical health data such the existence of drug allergies, hypertension, diabetes or a history of, cardiac arrhythmias.

"Stigma surrounding mental illness continues to exist within and outside of our health care system," the hospital added. "Unilaterally separating important clinical information about a patient's psychiatric treatment from other confidential information about that patient's medical care only works to reinforce that stigma."

Julie, however, disagreed, saying that while she recognized certain circumstances where her other doctors may need access to certain records such as medications she takes and dosages, they do not need to know what she discloses on a weekly basis to her therapist.

"You know I talked about problems in my family," she said. "I talked about things like … I wasn't talking to my mother. That was all in the therapy notes, for example."

In sharing her story, Julie wanted to come forward for those who couldn't.

"The difference in this situation is I actually chose to come here and I actually chose what I'm gonna say and what I'm not gonna say; but when my medical information is available to everybody, I don't have that decision," she said. "Somebody else is making that decision for me and that really makes me feel violated. So that's why I'm here: Because I think it's a really big problem and I wanted to do something about it. "

The Patient Privacy Toolkit offers helpful tools to help people make sure that their medical records remain confidential and don't end up for sale on the Internet. Below are just some of the forms and information one can find on the site:

Consent Forms are signed by both patient and health-care provider and clearly states that written permission must be attained before any information is shared.

The Opt Out of AMA Database statement requests the signature of a physician agreeing not to include a patient's prescription information in the American Medical Association's database.

Manage Your Consent helps a patient keep track -- with the use of a checklist -- which doctors have signed consent forms.

The following sites also provide useful information:

Privacy Rights Clearinghouse: Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic

The HHS privacy principles fact sheets