Just a Little Bit of History Repeating

Lynn Jusinski — Wed, 01 Oct 2008 11:29:00 GMT

OK, so maybe it's not exactly the same story, but it's pretty darn close. In a recent article I did, I talked to Marne Gordan, GRC market manager for Armonk, NY-based IBM Tivoli Software, and I asked her if a situation like the Lubna Baloch case could happen again. Absolutely, Gordan said, and sure enough, a similar case recently played out at Grady Memorial Hospital, Atlanta, GA.

The main point of my article was to stress the importance of following the chain of custody when it comes to outsourcing. Know where your data is, and know who is working on it. If you allow for subcontractors in your contract, be sure that you know who they are and that they know your requirements when it comes to patient privacy.

At Grady, a doctor decided to type his own name into Google (come on, we've all done it). He found a bit more than he might've expected-his patients' health information, right there on the Internet.

A few months ago, Grady knew of the breach, but wasn't sure exactly what had happened, and officials said that data may have been stolen. The story became clearer last week, when Grady officials noted that hackers hadn't taken the data of 45 patients-rather, it was an unsteady chain of command that led to the health information being featured on the Internet. The posted data didn't include Social Security numbers, patients' addresses or financial information.

The breach, like the Lubna Baloch incident, came down to transcription. Grady's notes were transcribed by Metro Transcribing Inc., which in turn sent the work to Renee Lella, a Nevada contractor. Lella then sent the work overseas to Primetech Infosystems in India. The Internet site that that firm posted information to was thought to be completely secure; however, the information from the records was freely available on the Internet, where they were posted for a few weeks, according to The Atlanta Journal-Constitution.

After the breach, there's always the period of reflection on what could have/should have been done. On the XLEMR blog, the writer mused that smaller practices would probably not be vulnerable to this type of breach because of a lack of online data, and noted that care when outsourcing is the final lesson from the breach.

On the Medical Quack site, Barbara Duck writes that the breach may mean it's a good time to look to speech recognition soon. "At least that way it is all kept on local servers, but then you have to train physicians how to use it, but some hospitals are doing great and the military is also a big user of speech recognition and it will save money too," Duck wrote.

According to the AlertBoot blog, the whole breach could've been avoided if file encryption was used. This isn't really a surprise, as it's a vendor site, and the blog is from a few months ago, when the whole story wasn't really out yet. Even LifeLock (yes, the guy who puts his Social Security number on trucks and whatnot and has only had his ID stolen, um, a few times), is in on commenting on the breach. LifeLock uses the breach as an example of (of course) how LifeLock can help you (and after reading the blog, I'm still not sure about that one).

I'm not pitching any wares or anything, and I believe it comes down to contract management, like Gordan preached when I interviewed her. Hopefully, Grady had good contract management in place, and as the blame is doled out, Grady might have had an excellent contract, and the outsourcing firms may have slipped up. I found this online: the Nevada contractor involved in the breach advertising for experienced MTs on The Official Website of the Republic of the Philippines. The responses that she received might make some MTs just a bit queasy, all misspellings and poor grammar.

No matter how it pans out or who is eventually blamed for the breach, one thing is unfortunately certain: this probably isn't the last time an incident like this happens. I'd like to hear your thoughts.

No Laughing Matter

Cheryl McEvoy — Wed, 17 Sep 2008 14:49:00 GMT

Two car salesmen, a politician and a hospital staffer walk into a bank. Sounds like the start of a lame stand-up act, but for some Virginia residents, there's no punch-line. According to The Virginian-Pilot, police recently busted six people, including a hospital registrar, for identity theft after they allegedly used stolen information to pocket money from the Navy Federal Credit Union.

The emergency room registrar pleaded guilty to stealing information from patients' medical records, which was then used to acquire $61,000 in car loans. The cars didn't exist; instead, the money padded wallets.

The hospital's monitoring program captured the registrar's suspicious activity, albeit after 6 months, as records showed that the registrar was frequently viewing private information without making any updates. Two points for security measures.

Hospital officials also responded to the breach by offering free credit monitoring to any patients whose identities were compromised. It may do little to ease the creepy invasion of privacy, but it's a pretty good response. As for the politician's-OK, neighborhood association leader's-victims, where will they sign up for reparations? Will the association shell out the cash for credit monitoring? If not, the joke might just be on them.

ADVANCE Perspective: HIM : identity theft

Just a Little Bit of History Repeating

No Laughing Matter