The hospital was unaware any medical records had been stolen…
The steady reports of security breaches of electronic medical records are too numerous to report. The latest one at Cedars-Sinai Medical Center in Los Angeles deserves a special note, though, because the hospital has had a history of problems with breaches of patients’ private medical information and yet, in this latest identity theft, hospital officials were oblivious that the records had even been stolen and were being used for illegal activity until alerted by prosecutors.
It shows, once again, as security experts know, that no electronic system is invulnerable.
This morning, the Los Angeles Times reported that more than 1,000 patients at Cedars-Sinai had had their personal information stolen by a former employee in the hospital’s billing department, which prosecutors allege was being used in an insurance company scheme to submit fraudulent claims for fictitious labwork. Jane Robison, a spokeswoman for the Los Angeles County district attorney's office said their investigation is continuing, and the scope and scale of the alleged theft could grow.
Alexandra Zavis, writing for the LA Times, provided the known details in the full article, but more importantly, put some troubling pieces of this story together:
…Hospitals' increasing reliance on computerized record-keeping has provided new avenues for identity theft and invasions of medical privacy. As recently as May, a Glendale man was convicted of using the names of hundreds of Los Angeles County and city employees to submit fraudulent claims for diagnostic services amounting to more than a quarter-million dollars.
Cedars-Sinai officials said they are serious about their responsibility to protect patients' information. "In this case, it appears the privacy breach was not the result of someone accessing information they should not have accessed, but instead the privacy breach involved an individual illegally using information that he had legitimate access to as part of his job," Chief Financial Officer Edward Prunchunas wrote in the letter that the hospital provided to The Times…
[Prunchunas] said hospital officials had no knowledge of any illegal activity until alerted recently by prosecutors…
The LA Times goes on to report that this renowned hospital has an in-depth security system in place for its electronic medical records and continually evaluates and works to improve it, and has put in place even more security for high-profile patients. Never the less, it “has faced previous problems with breaches of patient confidentiality,” which were described in the article. This problem is not unique to Cedars-Sinai. “Similar problems have surfaced at one of the hospital's major competitors, UCLA Medical Center, where at least 165 staff members have been disciplined for improperly accessing the files of more than 1,000 patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.”
As this latest case illustrates, the problem of electronic medical record security isn’t just curious employees looking at celebrity records or even about the financial costs to patients from identity theft:
When a patient's medical records are compromised, it can hurt more than their wallets, experts warn. Victims of this kind of fraud face a greater risk of injury if doctors make treatment decisions based on incorrect information contained in their records. Many employers also demand access to medical records when making hiring, promotion or benefits decisions, according to the nonprofit Patient Privacy Rights Foundation.
Even though hospitals, clinics and state government systems have proven unable to keep records secure, the U.S. Secretary of Health and Human Services, Mike Leavitt, said the government wants electronic medical records universally accessible nationwide. Writing in the Washington Post yesterday, he said that the government Department of Health and Human Services has prioritized health IT and wants interoperable systems that can share medical records, prescription histories, lab results, imaging and clinical notes on every patient.
He said electronic medical records could save lives and reduce medical errors — claims not supported by evidence, as covered here and here. He also said the government had made substantial progress on establishing a national electronic database and the adoption of EMR among providers, another claim not supported by the facts.
He said Congress is considering adding more money for health information technology to January’s stimulus package. He got one point right: “Before lawmakers act, they need to think.”