Here's a human error for you: A California consulting firm placed 300,000 medical records in a database that could be accessed via the Internet!
Online access to data is not unusual - thousands of companies use so-called "secure sites" or "virtual private networks" that enable employees to access records from remote locations and clients to view their information online. And the current administration has been pushing medical providers to digitize records, offering bonuses to companies who comply ahead of schedule.
However, somebody at the consulting firm, Southern California Medical-Legal Consultants, which handled workers' comp information for doctors and hospitals seeking payment, left out two basic steps. The database was not password protected, and its pages were made available to indexing by search engines - so those 300,000 files were viewable by anybody who Googled them.
Fortunately, a researcher named Aaron Titus, chief privacy officer at a software company called Identity Finder, discovered this gaping security hole. Instead of exploiting it and selling the information as many criminals would, he reported the breach to the consulting firm - and The Associated Press. The records - doctors' notes, patients' personal data and in some cases, Social Security numbers - were "available to anyone in the world with half a brain and access to Google," Titus told the AP. He described it as "likely a case of felony stupidity."
HIPAA laws require strict security measures to be in place when storing and handling our medical records. And the consulting firm's CEO said its internal security procedures were not followed. But human errors are something we all know occur. Whether it's something as small as transposing a number, human errors, big or small, can unleash unintended consequences. What will deter reckless handling of our health records when being stored and accessed online? If secure procedures are not in place, when our data is stored on the information highway, how do we handle the inevitable collision of our online health records and hackers? As criminals get craftier, it's just a matter of time before they figure out how to hack into a system that has a treasure trove of data just waiting to be used for multiple types of intrusive ID theft.
Health insurers and care providers advertise their online health systems as a benefit that provides both cost savings and better care to consumers. Doctors are able to access patients' complete records at their fingertips, saving time and preventing unnecessary tests or harmful drug interactions; patients can do things like track their cholesterol, make appointments and develop a weight-loss plan on their laptops. In a day when we all want everything on our iPhone right away, electronic record-keeping makes sense in a lot of ways. But hearing that info about people's broken bones and sexual dysfunction (I'm not joking) was readily available on Google without even a password? "Human error" hardly seems to cover it.
We can't expect to block access to online health records any better than we have blocked personal finance records and personal identifying information from getting into tech-savvy criminal hands. So let's keep it real and recognize we have real risks that carry real consequences! What happens when patient medical records are erroneously or fraudulently altered? What happens if these records are used to discriminate, deny a job, increase insurance premiums and even blackmail or humiliate people?
As technology advances we expect speedy, easy access to all sorts of information -on the Internet, cell phones, iPads, and even our home appliances. Technology has allowed us to give our friends and family access to our lives, and take care of many of life's details quickly and easily. But with the pros come cons of all sorts - from privacy invasion to malicious fraud.
We have come to learn that when it comes to our personal lives and personal data, what we share isn't always under our control. We - or someone handling our information - may fall for a scam, click on a virus-infected link, erroneously download malware or learn after the fact that our accounts or identity has been accessed by a hacker. Or maybe we will have the bad luck of having our information provided to a company whose employees are "felony stupid."
We will have far less control if our personal medical records are stored on the information highway. In my opinion, we are all driving blindfolded and headed for an unavoidable collision caused by improperly stored data or those who steal it. Until then, proactive identity theft education and people like Aaron Titus, who detect and then sound the alarm in a manner that both warns potential victims of the leak, and alerts those who need to stop the leak, will be our safety belt - something we should all be thankful for.
Just another example of legislation passed without answers to the "what ifs."
Strong law and no remedy or punishment if broken. What a waste of time and money!
Thanks, Denise, for covering this. I appreciate what you do.
Nicely put! When proposed bills are rammed into legislation without taking into account the 'what ifs' before passage --consumers are the ones that suffer the consequences. Legislation, like our elected officials, should say what they mean, and mean what they say --but they rarely do. Thanks for the comment & kind words! Denise