Security Breach at Stanford Hospital - Patient Found it - Not the Fault of the Medical Records System but Rather a Careless 3rd
Posted Sep 08 2011 9:54pm
This is important to note as this time it was not the university or their IT systems, it was rather a spreadsheet from the ER that was to be used by the 3rd party, Multi-Specialty Collection services for analytics purposes. We all know how medical billing gets analyzed by many 3rd parties, and some are even owned by insurance companies too as a subsidiary. This one does not appear to be.
I can imagine the patient was not happy to find this spreadsheet on the web and the fact that it had been there over a year is not good. Browser searches are getting so good with their algorithms today that many breaches are being located just by doing a simple search. There are services that monitor the web for items as such but that doesn’t mean they are 100% and that something doesn’t slip under the radar here and there, but the services are worth it. Needless to say the 3rd party is history with Stanford now and all will get the customary free credit services.
One more note, with all the behavioral analytics going on today and with patient data being compared against algorithms to predict, this can get very sticky as one patient noted here that her son had this happen and data was compared against certain parameters for mental illness. With all of this going on today, a digital illiterate would misinterpret the data and the person could very well be tagged as having mental illness in their background when in fact it was just a query done to see if it applied. Even so, without the patient being aware, this is still a huge eye opener and maybe that’s where they come up with these ridiculous reports that half of us in the US have mental problems. We are seeing all types of data being matched and analyzed and some of it is mismatched and can work against you.
With everyone “marketing their ass off” in healthcare, they dig and create “algorithms for sale” that are not a correct match all the time and basically are using some rogue algorithms. You can read about the FICO claim below with using a patients’ credit rating and combining it with free information on the web. They say they can score and determine whether or not you as a patient will take your meds. Fail. This is nothing but marketing and a total mismatch of analytics that will be used to deny drugs and care in order to save money. I have brought this up many times and for the life of me I guess everyone else is too digitally illiterate to confront this as it is rogue and not proven, only there to make a buck. So what happens if data like this gets out there?
The fact that behavioral analytics are often done outside a big data system leads to problems just like this one at Stanford, with the company trying to sell them some type of analytics service, but instead was careless in their own handling of patient data, so would you trust them, heck no. I can bet Epic, the EHR system installed might be glad I wrote this post:) Things are already tough enough around Stanford with the expiration of Blue Cross benefits so patients will have to start looking elsewhere for care unless a miracle happens or if Blue Cross decides to come in and buy up the physicians group, which by the way is happening all over the US with insurers buying up MD groups, had 3 large ones in the last 4-5 months in southern California. BD
A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.
Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.
Gary Migdol, a spokesman for Stanford Hospital and Clinics , said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.
Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection.
The spreadsheet included names, diagnosis codes, account numbers, admission and discharge dates, and billing charges for patients seen at Stanford Hospital’s emergency room during a six-month period in 2009, Mr. Migdol said. It did not include Social Security numbers, birth dates, credit-card numbers or other information used to perpetrate identity theft, he said, but the hospital is offering free identity protection services to affected patients.
The breach was discovered by a patient and reported to the hospital on Aug. 22, according to a letter written four days later to affected patients by Diane Meyer, Stanford Hospital’s chief privacy officer. The hospital took “aggressive steps,” and the Web site removed the post the next day, Ms. Meyer wrote. It also notified state and federal agencies, Mr. Migdol said.